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Independent Orbiter Assessment 
Assessment of the Backup Flight System FMEA/CIL 


1.0 EXECUTIVE SUMMARY 

The McDonnell Douglas Astronautics Company (MDAC) was selected in 
June 1986 to perform an Independent Orbiter Assessment (IOA) of 
the Failure Mode and Effects Analysis (FMEA) and Critical Items 
List (CIL) . Direction was given by the STS Orbiter and GFE 
Projects Office to perform the hardware analysis using the 
instructions and ground rules defined in NSTS 22206, Instructions 
for Preparation of FMEA and C IL. October 10, 1986. 

The IOA effort first completed an analysis of the Backup Flight 
System (BFS) hardware, generating draft failure modes and 
Potential Critical Items. To preserve independence, this 
analysis was accomplished without reliance upon the results 
contained within the NASA FMEA/CIL documentation. The IOA 
results were then compared to the proposed NASA post 51-L 
FMEA/CIL baseline. A resolution of each discrepancy from the 
comparison is provided through additional analysis as required. 
This report documents the results of that comparison for the 
Orbiter BFS hardware. 

The IOA product for the BFS analysis consisted of 29 failure mode 
"worksheets" that resulted in 21 Potential Critical Items (PCI) 
being identified. This product' was originally compared with the 
proposed NASA BFS baseline as of Oct. 1986 and subsequently 
compared with the applicable (as of Nov. 19, 1987) Data 
Processing System (DPS) , Electrical Power Distribution and 
Control (EPD&C) , and Displays and Controls NASA CIL items. The 
comparisons determined if there were any results which had been 
found by the IOA but were not in the NASA baseline. 

The original assessment determined there were numerous failure 
modes and potential critical items in the IOA analysis that were 
not contained in the NASA BFS baseline. Conversely, the NASA 
baseline contained three FMEAs (IMU, ADTA, and Air Data Probe) 
for CIL items that were not identified in the IOA product. The 
IOA prepared worksheets and agreed with the NASA analysis for the 
three items. This increased the IOA worksheets from 29 to 32 and 
the PCIs from 21 to 24 for the original assessment as shown in 
Figure 1. 

The NASA and Rockwell conducted several reviews and completed a 
substantial rewrite of all CILs between Dec. 1986 and Nov. 1987. 
This effort included eliminating BFS as a unique subsystem by 
integrating BFS CILs with primary DPS CILs. The revised NASA 
baseline contained four more FMEAs for CIL items that were not 
identified in the original IOA BFS product, deleted the IMU CIL 
related FMEA mentioned in the previous paragraph, and moved the 
ADTA and AIR Data Probe CILs also mentioned in the previous 
paragraph to the GN&C subsystem. Once again, the IOA prepared 
worksheets and agreed with the NASA analysis of the additional 
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BFS FMEA/CIL ASSESSMENT 
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failures. This increased the IOA worksheets from 32 to 33 and 
the PCIs from 24 to 25 for the final assessment. The IOA 
assessment of the final updated baseline (Nov. 19, 1987) results 
in agreement on all BFS CIL items even though there are 
differences in number of items and assigned criticalities. 

Figure 1 presents an overview of the assessment results. 

The differences in assigned criticalities are due to different 
interpretation and application of the FMEA/CIL preparation 
instructions contained in NSTS 22206. The IOA analyzed BFS 
hardware failures with the assumption the BFS had been or would 
be engaged. The NASA analyzed BFS hardware failures as an 
integral part of the DPS or EPD&C and therefore counted generic 
PASS failures when assigning criticalities to BFS hardware 
failure modes. The IOA interpretation neither added to or 
subtracted from the CIL. 

The IOA and NASA analyses differed in level of detail and method 
of failure mode documentation. As a result, there are some 
differences in the number of CIL items. Regardless, a complete 
mapping exists between the IOA and FMEA/CIL items. Multiple IOA 
failures map into one FMEA for some hardware components and vice 
versa for other BFS elements. 
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2.0 INTRODUCTION 


2.1 Purpose 

The 51-L Challenger accident prompted the NASA to readdress 
safety policies, concepts, and rationale being used in the 
National Space Transportation System (NSTS) . The NSTS Office has 
undertaken the task of reevaluating the FMEA/CIL for the Space 
Shuttle design. The MDAC is providing an independent assessment 
of the Orbiter FMEA/CIL reevaluation results for completeness and 
technical accuracy. 

2.2 Scope 

The scope of the independent FMEA/CIL assessment activity 
encompasses those Shuttle Orbiter subsyst em s an d GFE hard ware 
identified in the Space Shuttle Independent FMEA/CIL Assessment 
Contractor Statement of Work. Each subsystem analysis addresses 
hardware, functions, internal and external interfaces, and 
operational requirements for all mission phases. 

2.3 Analysis Approach 

The independent analysis approach is a top-down analysis utiliz- 
ing as-built drawings to divide the respective subsystem into 
components and low-level hardware items. Each hardware item is 
evaluated for failure mode, effects, and criticality. These data 
are documented in the respective subsystem analysis' report, and 
are used to assess the proposed post 51-L NASA and Prime 
Contractor FMEA/CIL. The IOA analysis approach is summarized in 
the following Steps 1.0 through 3.0. Step 4.0 summarizes the 
assessment of the NASA and Prime Contractor FMEA/CIL which is 
documented in this report. 

Step 1.0 Subsystem familiarization 

1.1 Define subsystem functions 

1.2 Define subsystem components 

1.3 Define subsystem specific ground rules and 
assumptions 

Step 2.0 Define subsystem analysis diagram 

2.1 Define subsystem 

2.2 Define major assemblies 

2 . 3 Develop detailed subsystem representations 

Step 3.0 Failure events definition 

3 . 1 Construct matrix of failure modes 

3.2 Document IOA analysis results 

Step 4.0 Compare IOA analysis data to NASA FMEA/CIL 

4.1 Resolve differences 

4.2 Review in-hou se 

4 . 3 Document assessment issues 

4.4 Forward findings to Project Manager 
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2.4 Ground Rules and Assumptions 


The ground rules and assumptions used in the IOA are presented in 
Appendix B. The subsystem specific ground rules were defined to 
limit the analysis to single-failed-parts for each failure mode. 

A subset of the failure mode keywords were identified for the BFS 
team. This allowed for commonality in the analysis results. 
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3.0 SUBSYSTEM DESCRIPTION 


The following sections describe the BFS subsystem hardware. This 
hardware comprises a GPC, DDUs, BFCs, several switches, status 
indicators, and circuit protectors. An overview of the system 
components is shown in Figure 2. 

3.1 Design and Function 

The Backup Flight System provides the flight crew with a vehicle 
control capability to be used if the primary system malfunctions. 
The BFS software resides in one General Purpose Computer, 
normally GPC 5, during ascent and entry. In the event a generic 
failure occurs in the Primary Avionics Software System (PASS) or 
three or more primary GPCs fail, the crew will engage the BFS. 
During dynamic flight phases (all except onorbit) , no capability 
to return to the primary system is provided once the BFS is 
engaged . 

Hardware elements included in this report are those specific to 
the BFS. Evaluation of components such as nav aids and flight 

control sensors that are common to the BFS and the PASS and 

components such as dedicated instrument displays that are driven 
by the BFS outputs are excluded from this report. Processing 
schemes differ between PASS and BFS with the result that some 
component failures become more critical with BFS engaged. It is 
beyond the scope of this report to present all the software 

differences between PASS and BFS or to present a comparison of 

the failure criticalities for non BFS-unique hardware with or 
without BFS engaged. 

The BFS is limited by definition, for this report, to those 
unique hardware items that function in response to the action 
taken by the flight crew to engage or disengage the BFS. A 
schematic diagram of these hardware items is shown in Figure 3. 
More specifically, the BFS consists of the following components: 

1. Two DDUs which supply power to the BFS engage switches 
on the left and right RHCs and to the Hand Controller 
Engage Drivers (HCEDs) in the Backup Flight Controller 
(BFC) modules. Each DDU has three power supplies (A, 

B and C) redundantly tied through regulators to two of 
the three Main A, B and C buses. 

2. Three BFCs, each with identical modules A and B, which 
receive inputs from crew configured switches and output 
discrete signals to their respective GPCs. Logic 
circuits select which GPCs control flight critical 
buses and drive CRT displays prior and subsequent to 
BFS engagement. 

3. One GPC loaded with backup flight software. From a 
hardware standpoint, a GPC consists of a Central 
Processing Unit (CPU) and an Input/Output Processor 
(I0P) , each with many subcomponents. Since there is 
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only one GPC to provide the backup control capability 
it will be treated as a black bqx. Regardless of what 
hardware component fails rendering the GPC inoperable, 
the criticality is the same as a generic black box 
failure. 

4. Twenty crew activated switches (15 GPC, 2 BFS engage, 1 
BFS disengage, and 2 CRT) that are used to control GPC 
operating configuration and CRT interfaces with the BFS 
GPC. 

5. Crew interface with the BFS is through the 
Multifunction CRT Display System (MCDS) . During normal 
flight operations, one of the cathode ray tubes (CRTs) 
in the forward station will be commanded by the BFS. 

BFS MCDS selection in the forward station is governed 
by the BFS CRT switch on panel C3 or the GPC/ CRT key on 
the keyboard. Current preengage BFS procedures call 
for CRT 3 to be the BFS CRT in the forward station. 

The BFS operates in one of two operating states: engaged or 

disengaged. The BFS is intended to remain in a disengaged state 
during routine operations allowing the PASS to control the 
vehicle. Both the engage and disengage states are provided to 
the GPCs through a set of three hardware modules called Backup 
Flight Controllers (BFCs) . These BFCs provide interface through 
a series of discrete signals between the GPCs and associated crew 
station switches. Engage is accomplished by verifying that the 
BFS GPC output switch is in the backup position and that the DDU 
power supply breakers are in, and depressing the engage momentary 
pushbutton on either the right or the left RHC. 

When one of the RHC buttons is depressed, three discretes (A, B, 
C) of ones are sent to the BFS GPC through the BFC modules. The 
BFS GPC must receive two of three discretes plus a zero discrete 
from the I/O terminate B before the BFS can be engaged. After 
the BFS is engaged, control of the vehicle is assumed by the BFS, 
and the PASS GPCs go to a state of software halt. The BFS then 
controls the flight critical and payload data buses and specified 
display keyboard buses. Indications that the BFS is engaged are 
that BFC eyebrow panel lights on F2 and F4 will be ON, the BFS 
output talkback (TB) on panel 06 will be gray, and all PASS GPC 
output TBs on panel 06 will be barberpole. 

In the disengaged state, the BFS GPC processes vehicle control 
parameters in parallel with the PASS GPCs. The BFS maintains 
knowledge of the vehicle state by listening on the flight 
critical data buses commanded by the PASS GPCs. The disengaged 
BFS GPC also performs limited SM and FDA functions during OPS 
1, 3, and 6. To disengage the BFS from the engage state, the BFC 
disengage switch on panel F6 is positioned to DISENGAGE (up 
position) . The engage discretes to the BFS will be reset to zero 
and the I/O terminate discrete set to one. Control of the FC and 
PL data buses will be released to the PASS. This is indicated 
by the BFC light going OFF, the PASS output TBs going gray, and 
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BFS output TB going barberpole. The PASS GPCs must be re-initial 
Program Loaded (re-IPLed) prior to disengage. Thus the BFS 
disengage capability is provided only during quiescent vehicle 
flight. 

If BFS is engaged it will drive several dedicated instrument 
displays in the forward station. This is instrumentation needed 
to safely fly the vehicle during the final phases of entry and 
landing. Two of the three Attitude Direction Indicators (ADIs) 
are driven by the BFS in OPS 1 and OPS 3. The four scales 
(Alpha, Accel, M/Vel, EAS) of the Alpha/Mach Indicator (AMI) are 
driven by BFS in OPS major modes 304 and 305. Likewise, the four 
scales (Alt Accel, Alt Rate, Alt, Rad Alt) of the 
Altitude/Vertical Velocity Indicator (AWI) are driven by the 
engaged BFS in major modes 304 and 305. The Horizontal Situation 
Indicator (HSI) provides magnetic heading, course, course 
deviation, glide slope deviation, and primary and secondary 
bearing, and the Surface Position Indicator (SPI) , provides 
elevons, body flap percent, rudder, aileron, and speedbrake 
percent. The HSI and SPI are driven by the engaged BFS. 

3.2 Interfaces and Locations 

The BFS GPC and three BFCs are located in Avionics Bays 1 and 2 . 
All other hardware components are located in the forward flight 
deck. The BFS interfaces with Orbiter subsystems via the flight 
critical and payload data buses and flight forward and flight 
aft MDMs . 

3.3 Hierarchy 

Figure 2 illustrates the hierarchy of the BFS hardware 
components. 

3.4 BFS Sensitivity to Interfacing Subsystem Operation 

An exhaustive comparison of the BFS and PASS is beyond the scope 
of this report. However, a limited investigation of BFS 
sensitivity to operation in certain guidance, navigation and 
control subsystems was performed. References 12 and 13 
constituted the BFS capability description for this 
investigation . 

Compared to the PASS, the BFS capability for fault detection is 
limited due to minimum redundancy management capability. As a 
result, the BFS is substantially more vulnerable to malfunctions 
in interfacing subsystems. The specific subsystems investigat e d 
included the Inertial Measurement Units (IMUs) , Air Data System 
(ADS) , Rate Gyro Assemblies (RGA) and Accelerometer Assemblies 
(AA) , Rotational Hand Controller (RHC) , Speedbrake Thrust 
Controller (SBTC) , Rudder Pedal Transducer Assembly (RPTA) , and 
a limited collection of cockpit switches. 
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3.4.1 inertial Measurement Unit (IMU) 

The BFS does not use the Built in Test Equipment (BITE) or 
the ECHO features provided by the IMU hardware. The BFS 
only faults an IMU when it has detected a Communications Fault 
(COM FAULT) . In nominal operations, the BFS uses a mid value 
select. If one IMU is COM FAULTED, the lowest numbered IMU which 
has not been COM FAULTED will be selected. If two IMUs have been 
COM FAULTED, then data from the remaining IMU will be processed. 

If all three IMUs are COM FAULTED, the system will then try to 
reselect the last failed IMU. 

This data selection process makes the BFS extremely sensitive and 
vulnerable to IMU number 1 malfunctions which do not result in a 
COM FAULT on IMU number 1. Without regard to IMU number 1 
performance, a simple COM FAULT on either IMU number 2 or 3 will 
allow that performance to be immediately propagated throughout 
the entire GN&C system. 

3.4.2 Air Data System (ADS) 

The data from this subsystem is vital to many computations, since 
several of the items measured by this subsystem are used 
throughout the GN&C software. The main item of concern is the 
Nose Landing Gear Uplock Discrete, V51X0300X. This discrete is 
used by the BFS software to determine if a correction factor is 
applied in the angle of attack calculation, the corrected static 
pressure calculation, and the corrected total pressure 
calculation. These three terms are then used to determine Mach 
number, pressure altitude, dynamic pressure (Q-Bar) , equivalent 
airspeed (EAS) , and estimated true airspeed. The inclusion of 
the correction factor in the calculation is due to changes in the 
flow around the ADS when the nose gear is down. 

Depending on the size of the correction factor being applied, the 
corrected static pressure and corrected total pressure values 
could be changed by a significant amount. Any calculations which 
use these values in either a first order or second order 
calculation would be in error, and this error would be factored 
into the Guidance and Navigation functions. The errors could be 
large enough to cause a loss of the vehicle. 

3.4.3 Rate Gyro Assemblies (RGA) and Accelerometer Assemblies (AA) 

The BFS uses three of the four RGAs on the Orbiter and three 
of four RGAs on the Solid Rocket Boosters (SRB) . Similarly, the 
BFS uses only three of the four AAs. One set of scale factor and 
bias data is used for the three Orbiter RGAs, another set of 
scale factor and bias data is used for the RGAs on the SRBs, and 
another set of scale factor and bias data is used for all AAs. 

The PASS provides scale factor and bias data for each of the RGAs 
and AAs. 

The use of a single set of scale factor and bias data for a group 
of RGAs and AAs is acceptable if the LRUs are very consistent. 
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If however, the performance of the LRUs is inconsistent, the data 
coming back could have large, over-compensated variations. 

3.4.4 Rotational Hand Controller (RHC) 

The BFS does not support RHC processing in ascent modes. The BFS 
does not validate the RHC inputs by using the data good indicator 
as in the PASS. There is no requirement to process the left RHC 
data before or after the right RHC data. The lack of a 
requirement for the order of processing RHC data is different 
than that found in the PASS. There may be a need to process 
the Commander's inputs before the Pilot's, as is done in the 
PASS. 

3.4.5 speedbrake Thrust Controller (SBTC) 

The BFS does not have manual throttling capability in ascent as 
does the primary. The BFS does process both SBTCs. 

3.4.6 Rudder Pedal Transducer Assembly (RPTA) 

The BFS processes only the Commander's inputs. There is no 
redundancy when the BFS is engaged. 

3.4.7 Cockpit Switches 

The following switches are redundant, one set at the Commander's 
station and another set at the Pilot's station. The BFS 
processes only those switches at the Commander's station. 
Therefore, when the BFS is engaged, the PLT switches can not be 
considered redundant to the CDR switches. 
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4.0 ASSESSMENT RESULTS 

The IOA analysis of the BFS hardware initially generated 29 
failure mode worksheets and identified 21 Potential Critical 
Items before starting the assessment process. In order to 
facilitate comparison, additional worksheets were generated. The 
analysis results were compared to the proposed NASA Post 51-L 
baseline. Upon completion of the assessment, there was agreement 
on all CIL items. The FMEAs for non-CIL items have not yet been 
revised; therefore, an IOA assessment of non-CIL FMEAs is not 
included in this report. 

A summary of the quantity of NASA CIL items assessed versus the 
IOA baseline is presented in Table I. 


Table I Summary of IOA CIL Assessment 

Component 

NASA 

IOA 

Issues 

DDU 

4 

1 

0 ! 

BFC 

2 

9 

0 

GPC 

4 

2 

0 

Switches 

5 

5 

0 

Circuit Protectors 

7 

8 

0 

Total 

22 

25 

0 


The differences in the number of CIL items for a specific 
component are attributable to differences in the depth of 
analyses and documentation approach. 

Appendix C presents the detailed assessment worksheets for each 
failure mode identified and assessed. Appendix D highlights the 
NASA Critical Items and corresponding IOA worksheet ID. Appendix 
E contains the additional IOA analysis worksheets that were 
prepared to support the NASA FMEA/CIL assessment. Appendix F 
provides a cross reference between the NASA FMEA and 
corresponding IOA worksheets. 

Table II presents a summary of the IOA failure criticalities. 
Further discussion of each of these subdivisions and the 
applicable failure modes is provided in subsequent paragraphs. 
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TABLE II Summary of IOA Failure Modes 

and Criticalities 

Criticality: 

1/1 

2/1R 

2/2 

3/1R 

3/2R 

3/3 

TOTAL 

DDU 


1 

— 

- 

- 

— 

1 

BFC 

6 

1 

- 

1 

1 

1 

10 

GPC 

2 

- 

- 

- 

- 

- 

2 

SWITCHES 

4 

1 

- 

- 

1 

3 

9 

CIRC. PROTECT. 

5 

- 

- 

4 

- 

- 

9 

INDICATORS 

— 

— 

— 

— 

— 

2 

2 

TOTAL 

17 

3 

- 

5 

2 

6 

33 


Of the failure inodes analyzed, twenty-five were determined to be 
critical items. A summary of the IOA critical items is presented 
in Table III. 


TABLE III Summary of IOA Critical Items 

Criticality: 

1/1 

2/1R 

2/2 

3/1R 

3/2R 

TOTAL 

DDU 

— 

1 

- 

— 

— 

1 

BFC 

6 

1 

- 

1 

1 

9 

GPC 

2 

- 

- 

- 

- 

2 

SWITCHES 

4 

1 

- 

- 

- 

5 

CIRC. PROTECT. 

5 

mi 

- 

3 

- 

8 

INDICATORS 

— 

— 

— 

— 

— 

— 

TOTAL 

17 

3 

- 

4 

1 

25 


The scheme for assigning IOA assessment (Appendix C) and analysis 
(Appendix E) worksheet numbers is shown in Table IV. 


TABLE IV IOA Worksheet Numbers 

Component 

IOA ID Number 

DDU 

BFS-101 

BFC 

BFS-201 to BFS-210 

GPC 

BFS-301 to BFS-302 

SWITCHES 

BFS-401 to BFS-409 

CIRC. PROTECT. 

BFS-501 to BFS-509 

INDICATORS 

BFS-601 to BFS-602 

IMU 

BFS-1001 

ADS 

BFS-2001 to BFS-2002 
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4.1 Display Driver Unit 

The NASA update documented loss of output and partial output for 
the left and right DDUs as four separate failures. The IOA 
documented the same failures on one analysis worksheet. The 
analyses agree that DDU output failure should be a CIL item. 

4.2 Backup Flight Controller 

The NASA update considered BFCs as black box components of the 
Data Processing and Software system. Two BFC CIL failure modes 
were identified: loss/erroneous output (2/1R) and inadvertent 
engage (3/1R, fails B screen) . The IOA recognized the single 
point failure potential (criticality 1/1) of several functional 
components within the BFCs and elected to document failures at 
lower than black box level of detail. The disparity in 
criticality assignment is attributed to a philosophical 
difference between the IOA and FMEA. The IOA criticality is 
based on the effects of a failure occurring to a BFS component 
after a generic PASS failure, i.e., when the BFS is required. 

The NASA analysis considers a generic PASS failure as the first 
failure when assigning criticality to BFS components. As a 
result, for many component failure modes, the IOA criticality 
will appear to be more severe than the FMEA criticality. 

The specific IOA BFC failures are mapped into the higher level 
NASA FMEAs in the final assessment. The IOA agrees with the FMEA 
criticalities if the PASS failure is considered. 

In summary, the IOA makes two recommendations: 

1. FMEAs should be generated for functional components 
within the BFC. 

2. Instructions contained in NSTS 22206 should clearly 
specify whether PASS failures should be considered when 
assigning criticalities to BFS hardware failure modes. 

4.3 General Purpose Computer 

The IOA generated two failure mode worksheets for the BFS GPC 
which correspond to four FMEAs. The IOA treated the GPC as a 
black box, identified no output and erroneous output as failure 
modes, and assigned a criticality of 1/1 to each. The NASA 
update identified the same two failures but treated the GPC as 
two black boxes i.e., a CPU and an IOP and gave each failure a 
2/1R criticality. The analyses agree that GPC output failures 
should be CIL items. The criticality discrepancy is due to the 
same philosophical difference discussed in the previous section. 
The IOA therefore recommends no change to the updated NASA GPC 
FMEAs. 

4.4 Switches 

Except for minor criticality differences, the IOA and FMEA agree 
on five switch failure CIL items. The IOA analysis originally 
identified a failed open BFC disengage switch (3/2R, fails B 
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screen) as a sixth CIL candidate. As a result of further review 
during the assessment task, the IOA believes the crew can readily 
detect the failure and perform a simple work-around procedure if 
necessary to disengage the BFS on orbit. Therefore, the IOA 
concludes the fail open mode for the BFC disengage switch 
contacts should not be considered as a critical item and 
recommends the failure be documented in the updated FMEAS for 
non-CIL items. 

4 . 5 Circuit Protectors 

The IOA identified open circuit of fuses F9, F10, Fll, and F49 as 
criticality 1/1 failures and documented them as four separate CIL 
items. The same four fuses and failure inodes are documented as 
criticality 2/1R in two updated FMEAs. The IOA concludes that 
since both approaches identify the same components and failure 
modes as CIL items there are no significant issues. 

The NASA update includes two EPD&C-D&C Subsystem FMEAs that 
identify open circuit failure of circuit breakers CB29, 30, and 
32 as 3/1R criticality and includes them as CIL items because 
they fail the B screen. The IOA initially concluded that all 
redundancy screens were passed. Upon further review, the IOA 
agrees with the NASA update 

The IOA prepared three supplemental worksheets for failures 
overlooked in the original analysis. These covered open and 
short circuit failures in the BFS GPC and BFC main bus isolation 
diodes and open circuit failure of fuse F28 in the main bus 
supply line to the BFS BFC power monitor logic. The IOA agrees 
with the FMEA for these CIL items. 

In summary, there are no issues regarding BFS related circuit 
protectors between the IOA and updated NASA FMEAs. 

4.6 Indicators 

There is an exact match between the IOA and the baseline FMEAs 
for the BFC engage lights. There are no issues. 
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5 . 0 REFERENCES 


Reference documentation available from NASA and Rockwell was used 
in the analysis. The documentation used included the following: 


1 . 

NSTS 22206 

Instructions for Preparation of Failure 
Modes and Effects Analysis (FMEA) and 
Critical Items List (CIL) , 10 October 
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JSC 18820 

Data Processing System Briefs, Basic, 
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3. 

VS70-971099 

Rockwell Integrated Systems Schematics, 
OV-99 , 103, 104 GNC & DPS, 3-14-85 

4. 

JSC 12770 

Shuttle Flight Operations Manual, Volume 
5, Data Processing System, 3-21-84 

5. 

JSC 18219 

Flight Procedures Handbook, Post 
Insertion, Final Revision A, 1-18-85 

6. 

JSC 18817 

Flight Procedures Handbook, Deorbit 
Prep, 3-1-83 

7. 

TD123 

Backup Flight System Software Workbook, 
BFS 2102, 8-10-82 

8. 

V72 FILE III 

Orbiter Operations and Maintenance 
Requirements and Specification Document, 
6-13-86 

9. 

NSTS 08171 FILE I 

Operations and Maintenance Requirements 
and Specifications Document, 7-14-86 

10. 

JSC 12820 

STS Operational Flight Rules, PCN-1, 
2-14-86 

11. 

TD198/A198 

GNC Overview Workbook, GNC OV 2102, 
8-30-83 

12. 

MG038101 

Backup System Service Program 


Requirement Document, Seq.l, Rev. H, 
3 January 1985 


13. MG038106 Backup Flight System, Hardware Interface 

Program and GN&C Interface Program 
Requirements Document, Rev. E, 3 July 
1985 
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APPENDIX A 
ACRONYMS 


ADTA 

AOA 

ATO 

BFC 

BFS 

BSS 

CIL 

CPU 

CRIT 

CRT 

C&W 

DDU 

DEU 

DPS 

DU 

EVA 

FA 

FF 

FM 

FMEA 

GPC 

GSE 

HCED 

IMU 

IOA 

IOP 

IPL 

KU 

LRU 

MCDS 

MDAC 

MDM 

MM 

MMU 

NA 

NASA 

NSTS 

OMRSD 

OMS 

PAS 

PASS 

PB 

PCI 

RCS 

RHC 

RI 

RM 

RPC 


Air Data Transducer Assembly 
Abort Once Around 
Abort to Orbit 
Backup Flight Controller 
Backup Flight System 
Backup System Services 
Critical Items List 
Central Processing Unit 
Criticality 
Cathode Ray Tube 
Caution and Warning System 
Display Driver Unit 
Display Electronics Unit 
Data Processing System 
Display Unit 

Extra Vehicular Activity 
Flight Aft 
Flight Forward 
Failure Mode 

Failure Mode and Effects Analysis 

General Purpose Computer 

Ground Support Equipment 

Hand Controller Engage Driver 

Inertial Measurement Unit 

Independent Orbiter Assessment 

Input/Output Processor 

Initial Program Load 

Keyboard Unit 

Line Replaceable Unit 

Multifunction CRT Display System 

McDonnell Douglas Astronautics Company 

Multiplexer/Demultiplexer 

Major Mode 

Mass Memory Unit 

Not Applicable 

National Aeronautics and Space Administration 
National Space Transportation System 

Operational Maintenance Requirements and Specifications 
Document 

Orbital Maneuvering System 
Primary Avionics System 
Primary Avionics Software System 
Pushbutton 

Potential Critical Item 
Reaction Control System 
Rotational Hand Controller 
Rockwell International 
Redundancy Management 
Remote Power Controller 
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ACRONYMS 


RS 

- 

Redundant Set 

RTLS 

- 

Return to Landing Site 

SFP 

- 

Single Failure Point 

SM 

- 

Systems Management 

STS 


Space Transportation System 

SW 

- 

Software 



Switch 

TAC 

- 

Tacan 

TAL 

- 

Transatlantic Abort Landing 

TD 

- 

Touch Down 

THC 

- 

Translational Hand Controller 


APPENDIX B 


DEFINITIONS , GROUND RULES, AND ASSUMPTIONS 


B.l Definitions 

B.2 Project Level Ground Rules and Assumptions 

B. 3 Subsystem-Specific Ground Rules and Assumptions 
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APPENDIX B 

DEFINITIONS , GROUND RULES , AND ASSUMPTIONS 


B.l Definitions 

Definitions contained in NSTS 22206. Instructions For Preparation 
of FMEA/CIL. 10 October 1986 . were used with the following 
amplifications and additions. 

INTACT ABORT DEFINITIONS: 

rtls - begins at transition to OPS 6 and ends at transition 
to OPS 9, post- flight 

TAL - begins at declaration of the abort and ends at 
transition to OPS 9, post-flight 

AOA - begins at declaration of the abort and ends at 
transition to OPS 9, post-flight 

ATO - begins at declaration of the abort and ends at 
transition to OPS 9, post-flight 

CPFnTBT/E f cause 1 - an event that can be predicted or expected in 
anticipated operational environmental conditions. Excludes an 
event where multiple failures must first occur to result in 
environmental extremes 

CONTINGENCY CREW PROCEDURES - procedures that are utilized beyond 
the standard malfunction procedures, pocket checklists, and cue 
cards 

EARLY MISSION TERMINATION - termination of onorbit phase prior to 
planned end of mission 

EFFECTS /rationale - description of the case which generated the 
highest criticality 

HIGHEST CRITICALITY - the highest functional criticality 
determined in the phase-by-phase analysis 

MAJOR MODE - major sub-mode of software operational sequence 

(OPS) 

MC - Memory Configuration of Primary Avionics Software System 
(PASS) 

MISSION - assigned performance of a specific Orbiter flight with 
payload/objective accomplishments including orbit phasing and 
altitude (excludes secondary payloads such as GAS cans, 
middeck P/L, etc.) 
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MULTIPLE ORDER FAILURE - describes the failure due to a single 
cause or event of all units which perform a necessary (critical) 
function 

OFF-NOMINAL CREW PROCEDURES - procedures that are utilized beyond 
the standard malfunction procedures, pocket checklists, and cue 
cards 

OPS - software operational sequence 

PRIMARY MISSION OBJECTIVES - worst case primary mission objec- 
tives are equal to mission objectives 

PHASE DEFINITIONS; 

PRELAUNCH PHASE - begins at launch count-down Orbiter 
power-up and ends at moding to OPS Major Mode 102 (liftoff) 

LIFTOFF MISSION PHASE - begins at SRB ignition (MM 102) and 
ends at transition out of OPS 1 (Synonymous with ASCENT) 

ONORBIT PHASE - begins at transition to OPS 2 or OPS 8 and 
ends at transition out of OPS 2 or OPS 8 

DEORBIT PHASE - begins at transition to OPS Major Mode 
301 and ends at first main landing gear touchdown 

landing/safing phase - begins at first main gear 
touchdown and ends with the completion of post-landing 
safing operations 



APPENDIX B 

DEFINITIONS, GROUND RULES, AND ASSUMPTIONS 


B.2 IOA Project Level Ground Rules and Assumptions 

The philosophy embodied in NSTS 22206, Instructions for 
Preparation of FMEA/CIL. 10 October 1986 , was employed with the 
following amplifications and additions. 


1. The operational flight software is an accurate 
implementation of the Flight System Software Requirements 
(FSSRs) . 

RATIONALE: Software verification is out-of-scope of 
this task. 

2. After liftoff, any parameter which is monitored by system 
management (SM) or which drives any part of the Caution and 
Warning System (C&W) will support passage of Redundancy 
Screen B for its corresponding hardware item. 

RATIONALE: Analysis of on-board parameter availability 
and/or the actual monitoring by the crew 
is beyond the scope of this task. 

3. Any data employed with flight software is assumed to be 
functional for the specific vehicle and specific mission 
being flown. 

RATIONALE: Mission data verification is out-of-scope of 
this task. 

4. All hardware (including firmware) is manufactured and 
assembled to the design specifications/drawings. 

RATIONALE: Acceptance and verification testing is 

designed to detect and identify problems 
before the item is approved for use. 

5. All Flight Data File crew procedures will be assumed 
performed as written, and will not include human error in 
their performance. 

RATIONALE: Failures caused by human operational error 
are out-of-scope of this task. 
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6. All hardware analyses will, as a minimum, be performed at 
the level of analysis existent within NASA/Prime Contractor 
Orbiter FMEA/CILs, and will be permitted to go to greater 
hardware detail levels but not lesser. 

RATIONALE: Comparison of IOA analysis results with 

other analyses requires that both analyses 
be performed to a comparable level of 
detail. 

7. Verification that a telemetry parameter is actually 
monitored during AOS by ground-based personnel is not 
required. 

RATIONALE: Analysis of mission-dependent telemetry 

availability and/or the actual monitoring of 
applicable data by ground-based personnel is 
beyond the scope of this task. 

8. The determination of criticalities per phase is based on the 
worst case effect of a failure for the phase being analyzed. 
The failure can occur in the phase being analyzed or in 

any previous phase, whichever produces the worst case 
effects for the phase of interest. 

RATIONALE: Assigning phase criticalities ensures a 
thorough and complete analysis. 

9. Analysis of wire harnesses, cables, and electrical connectors 
to determine if FMEAs are warranted will not be performed 
nor FMEAs assessed. 

RATIONALE: Analysis was substantially complete prior 

to NSTS 22206 ground rule redirection. 

10. Analysis of welds or brazed joints that cannot be inspected 
will not be performed nor FMEAs assessed. 

RATIONALE: Analysis was substantially complete prior 

to NSTS 22206 ground rule redirection. 

11. Emergency system or hardware will include burst discs and 
will exclude the EMU Secondary Oxygen Pack (SOP) , pressure 
relief valves and the landing gear pyrotechnics. 

RATIONALE: Clarify definition of emergency systems to 
ensure consistency throughout IOA project. 
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APPENDIX B 

DEFINITIONS , GROUND RULES, AND ASSUMPTIONS 


B.3 BFS-Specific Ground Rules and Assumptions 

1. BFS failures are analyzed assuming that the BFS is (or 
will be) engaged. 

RATIONALE: Failure analysis and criticality 

determination is done assuming that the 
BFS must work when called upon to do so. 

2. Failures which resulted in BFS engagement are not 
identified or analyzed. 

RATIONALE: Except for the PASS, it is assumed that 

other subsystems are operating within 
normal limits. 

3. Only BFS-specific components and failure modes are 
analyzed. 

RATIONALE: Failure analysis of PASS/BFS common 

components is accomplished within the 
PASS analysis. 



APPENDIX C 
DETAILED ASSESSMENT 


This section contains the IOA assessment worksheets generated 
during the assessment of this subsystem. The information on 
these worksheets facilitates the comparison of the NASA FMEA/CIL 
(pre and post 51-L) to the IOA detailed analysis worksheets 
included in Appendix E. Each of these worksheets idendtifies the 
NASA FMEA being assessed, corresponding MDAC Analysis Worksheet 
ID (Appendix E) , hardware item, criticality, redundancy screens, 
and recommendations. For each failure mode, the highest assessed 
hardware and functional criticality is compared and discrepancies 
noted as "N" in the compare row under the column where the 
discrepancy occurred. 


LEGEND FOR IOA ASSESSMENT WORKSHEETS 


Hardware Criticalities: 

1 = Loss of life or vehicle 

2 = Loss of mission or next failure of any redundant item 

(like or unlike) could cause loss of life/vehicle 

3 = All others 

Functional Criticalities: 

1R = Redundant hardware items (like or unlike) all of which, 
if failed, could cause loss of life or vehicle 
- 2R = Redundant hardware items (like or unlike) all of which, 
if failed, could cause loss of mission 

Redundancy Screens A, B and C: 

P = Passed Screen 
F = Failed Screen 
NA = Not Applicable 

NASA Data: 

Baseline = Pre 51-L FMEA/CIL 

New = Post 51-L FMEA/CIL (Baseline plus Proposed 

Changes) 

CIL Item: 

X = Included in CIL 
Compare Row: 

N = Non compare for that column (deviation) 
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APPENDIX C 

ASSESSMENT WORKSHEET 


ASSESSMENT DATE: 11/24/87 
ASSESSMENT ID: BFS-101 

NASA FMEA #: 05-3-12200A-1 


NASA DATA: 
BASELINE [ ] 

NEW [ X ] 


SUBSYSTEM: 
MDAC ID: 
ITEM: 


BACKUP FLIGHT SYSTEM 
101 

POWER SUPPLY A(B, C) TO L(R) RHC 


LEAD ANALYST: L.W.HINS DALE/E. E.PRUST 


ASSESSMENT: 


CRITICALITY REDUNDANCY SCREENS CIL 



FLIGHT 

. -- ■_ 



ITEM 


HDW/FUNC 

A 

B 

c 


NASA 

[ 3 /1R ] 

[ P 3 

[ P 3 

[ F ] 

C X ] 

IOA 

[ 2 /1R ] 

[ P 3 

[ P 3 

CP] 

[ x ] 

COMPARE 

[ N / ] 

C 3 

[ 3 

[ N ] 

[ 3 


RECOMMENDATIONS: (If different from NASA) 

t / ] [ ] [ ] [ ] [ 3 

(ADD/DELETE) 

* CIL RETENTION RATIONALE: (If applicable) 

ADEQUATE [ X ] 
INADEQUATE [ ] 

REMARKS: 

THIS HARDWARE ITEM IS COVERED IN THE NASA D&C ANALYSIS. 


REPORT DATE 02/22/88 
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APPENDIX C 
ASSESSMENT WORKSHEET 


ASSESSMENT DATE: 11/24/87 
ASSESSMENT ID: BFS-101A 

NASA FMEA #: 05-3-12200A-2 


NASA DATA: 
BASELINE [ ] 

NEW [ X ] 


SUBSYSTEM: 
MDAC ID: 
ITEM: 


BACKUP FLIGHT SYSTEM 
101 

POWER SUPPLY A(B, C) TO L(R) RHC 


LEAD ANALYST: L.W. HINSDALE/E . E . PRUST 


ASSESSMENT: 


CRITICALITY 

REDUNDANCY SCREENS 

CIL 

FLIGHT 




ITEM 

HDW/FUNC 

A 

B 

C 


NASA [ 3 /1R ] 

[ P ] 

[ P ] 

[ F ] 

[ x 

IOA [ 2 /1R ] 

C P 1 

[ P ] 

[ P ] 

[ x 

COMPARE [ N / ] 

[ ] 

[ ] 

[ N ] 

[ 


RECOMMENDATIONS: (If different from NASA) 

[ / ] C D Cl C ] [ 1 

(ADD/ DELETE) 

* CIL RETENTION RATIONALE: (If applicable) 

ADEQUATE [ X ] 
INADEQUATE [ ] 

REMARKS : 

THIS HARDWARE ITEM IS COVERED IN THE NASA D&C ANALYSIS. 


REPORT DATE 02/22/88 
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APPENDIX C 

ASSESSMENT WORKSHEET 


ASSESSMENT DATE: 11/24/87 
ASSESSMENT ID: BFS-101B 

NASA FMEA #: 05-3-12200B-1 


NASA DATA: 
BASELINE [ ] 

NEW [ X ] 


SUBSYSTEM: 
MDAC ID: 
ITEM: 


BACKUP FLIGHT SYSTEM 
101 

POWER SUPPLY A (B, C) TO L(R) RHC 


LEAD ANALYST: L.W. HINSDALE/E. E.PRUST 


ASSESSMENT: 

CRITICALITY REDUNDANCY SCREENS CIL 



FLIGHT 

HDW/FUNC 

A 

B 

C 

ITEM 

NASA 

[ 3 /1R ] 

C P ] 

[ P ] 

[ F ] 

[X 

IOA 

[ 2 /1R ] 

[ p ] 

[ P ] 

[ P ] 

[X 

COMPARE 

[ N / ] 

[ ] 

[ ] 

C N ] 

C 


RECOMMENDATIONS: (If different from NASA) 

[ / ] [ ] [ ] [ ] C ] 

(ADD/ DELETE) 


* CIL RETENTION RATIONALE: (If applicable) 

ADEQUATE [ X ] 
INADEQUATE [ ] 

REMARKS l 

THIS HARDWARE ITEM IS COVERED IN THE NASA D&C ANALYSIS. 


REPORT DATE 02/22/88 
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APPENDIX C 
ASSESSMENT WORKSHEET 


ASSESSMENT DATE: 11/24/87 
ASSESSMENT ID: BFS-101C 

NASA FMEA #: 05-3-12200B-2 


NASA DATA: 
BASELINE [ ] 

NEW [ X ] 


SUBSYSTEM: 
MDAC ID: 
ITEM: 


BACKUP FLIGHT SYSTEM 
101 

POWER SUPPLY A(B, C) TO L(R) RHC 


LEAD ANALYST: L. W. HINSDALE/E. E.PRUST 


ASSESSMENT: 


CRITICALITY REDUNDANCY SCREENS 

FLIGHT 

HDW/FUNC ABC 


CIL 

ITEM 


NASA [ 3 /1R ] [ P ] [ P ] [ F ] 

IOA [ 2 /1R ] [ P ] [ P ] [ P ] 


[ X ] * 

[ X ] 


COMPARE [ N / 


[ N ] [ ] 


RECOMMENDATIONS: (If different from NASA) 

[ / ] [][][] [ ] 

(ADD/ DELETE) 

* CIL RETENTION RATIONALE: (If applicable) 

ADEQUATE [ X ] 
INADEQUATE [ ] 

REMARKS: 

THIS HARDWARE ITEM IS COVERED IN THE NASA D&C ANALYSIS. 


REPORT DATE 02/22/88 


C-5 



APPENDIX C 
ASSESSMENT WORKSHEET 


ASSESSMENT DATE: 11/24/87 
ASSESSMENT ID: BFS-201 

NASA FMEA #: 05-5-B3 0-1-2 


NASA DATA: 
BASELINE [ ] 

NEW [ X ] 


SUBSYSTEM: 
MDAC ID: 
ITEM: 


BACKUP FLIGHT SYSTEM 
201 

HALT RELAY 


LEAD ANALYST: L.W. HINSDALE/E. E.PRUST 


ASSESSMENT: 


CRITICALITY REDUNDANCY SCREENS 


FLIGHT 




HDW/FUNC 

A 

B 

c 

NASA [ 2 /1R ] 

[ F ] 

[ F ] 

[ P 3 

IOA [1/1 ] 

[ P 3 

[ P 3 

[ NA] 


CIL 

ITEM 


[ X ] * 
[ X ] 


COMPARE [ N /N ] [ N ] [ N ] [ N ] 


] 


RECOMMENDATIONS : 


(If different from NASA) 


[ / 3 [][][ 


[ 3 

(ADD/ DELETE) 


* CIL RETENTION RATIONALE: (If applicable) 

ADEQUATE [ X ] 
INADEQUATE [ ] 

REMARKS ! 

THE IOA IDENTIFIED COMPONENT FAILURES WITHIN A BFC. THE FMEA 
TREATED THE BFC AS A BLACK BOX. THE IOA AGREES THAT FAILURE OF 
THAT HALT RELAY IS COVERED BY THE BFC LOSS OF OUT PUT/ ERRONEOUS 
OUTPUT FMEA. 

THE IOA RECOMMENDS THAT A FUNCTIONAL DESCRIPTION OF THE HALT 
RELAY AND AN EXPLANATION OF THE FAILED CLOSED CONSEQUENCES BE 
ADDED TO THE FMEA FOR COMPLETENESS. 


REPORT DATE 02/22/88 
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APPENDIX C 

ASSESSMENT WORKSHEET 


ASSESSMENT DATE: 11/24/87 
ASSESSMENT ID: BFS-202 

NASA FMEA #: 05-5-B30-1-2 


NASA DATA: 
BASELINE [ ] 

NEW [ X ] 


SUBSYSTEM: 
MDAC ID: 
ITEM: 


BACKUP FLIGHT SYSTEM 
202 

HALT RELAY 


LEAD ANALYST: L.W.HINSDALE/E.E.PRUST 


ASSESSMENT: 


CRITICALITY 

REDUNDANCY SCREENS 

CIL 

FLIGHT 




ITEM 

HDW/FUNC 

A 

B 

C 


NASA [ 2 /1R ] 

[ F ] 

[ F ] 

[ P ] 

[ X ] * 

IOA [ 3 /2R ] 

[ P ] 

[ F ] 

C P ] 

[ ] 

COMPARE [ N /N ] 

[ N ] 

[ ] 

[ 3 

[ N ] 


RECOMMENDATIONS: (If different from NASA) 

[ / 3 [][][] [ ] 

(ADD/ DELETE) 


* CIL RETENTION RATIONALE: (If applicable) 

ADEQUATE [ X ] 
INADEQUATE [ ] 

REMARKS: 

THE IOA IDENTIFIED COMPONENT FAILURES WITHIN A BFC. THE FMEA 
TREATED THE BFC AS A BLACK BOX. THE IOA AGREES THAT FAILURE OF 
THE HALT RELAY IS COVERED BY THE BFC LOSS OF OUTPUT/ ERRONEOUS 
OUTPUT FMEA. 

THE IOA RECOMMENDS THAT A FUNCTIONAL DESCRIPTION OF THE HALT 
RELAY AND AN EXPLANATION OF THE FAILED OPEN CONSEQUENCES BE ADDED 
TO THE FMEA FOR COMPLETENESS. 


REPORT DATE 02/22/88 
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APPENDIX C 
ASSESSMENT WORKSHEET 


ASSESSMENT DATE: 11/24/87 
ASSESSMENT ID: BFS-203 

NASA FMEA #: 05-5-B3 0-1-2 


NASA DATA: 
BASELINE [ ] 

NEW [ X ] 


SUBSYSTEM: 
MDAC ID: 
ITEM: 


BACKUP FLIGHT SYSTEM 
203 

HAND CONTROLLER ENGAGE DRIVER 


LEAD ANALYST: L.W.HINS DALE/E. E.PRUST 


ASSESSMENT: 


CRITICALITY REDUNDANCY SCREENS CIL 

FLIGHT ITEM 

HDW/FUNC ABC 


NASA [ 2 /1R ] [ F ] [ F ] [ P ] 

IOA [ 2 /1R ] [ P ] [ F ] [ P ] 

COMPARE [ / ] [ N ] [ ] [ ] 


[ X ] * 
[ X ] 

[ ] 


RECOMMENDATIONS : 


(If different from NASA) 


[ / ] [][][] [ ] 

(ADD/DELETE) 


* CIL RETENTION RATIONALE: (If applicable) 

ADEQUATE [ X ] 
INADEQUATE [ ] 

REMARKS: 

THE IOA IDENTIFIED C OMPO NENT FAILURES WITHIN A BFC. THE FMEA 
TREATED THE BFC AS A BLACK BOX. THE IOA AGREES THAT FAILURE OF 
THE HALT CONTROLLER ENGAGE DRIVER IS COVERED BY THE BFC LOSS OF 
OUTPUT/ ERRONEOUS OUTPUT FMEA. 


REPORT DATE 02/22/88 
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APPENDIX C 
ASSESSMENT WORKSHEET 


ASSESSMENT DATE: 11/24/87 
ASSESSMENT ID: BFS-204 

NASA FMEA #: 05-5-B30-1-2 


NASA DATA: 
BASELINE [ ] 

NEW [ X ] 


SUBSYSTEM: 
MDAC ID: 
ITEM: 


BACKUP FLIGHT SYSTEM 
204 

HAND CONTROLLER ENGAGE DRIVER 


LEAD ANALYST: L.W. HINSDALE/E. E.PRUST 

ASSESSMENT: 



CRITICALITY 

REDUNDANCY 

SCREENS 

CIL 


FLIGHT 






ITEM 


HDW/FUNC 

A 

B 



C 


NASA 

[ 2 /1R ) 

[ F ] 

[ F 

] 

[ 

P ] 

[ X ] * 

IOA 

[1/1 ] 

[ P ] 

[ P 

] 

[ 

P ] 

[ X ] 

COMPARE 

[ N /N ] 

[ N ] 

[ N 

] 

[ 

] 

[ ] 

RECOMMENDATIONS : (If 

different from 

NASA) 




[ / ] 

[ ] 

[ 

] 

[ 

] 

[ ] 








(ADD/DELETE) 


* CIL RETENTION RATIONALE: (If applicable) 

ADEQUATE [ X ] 
INADEQUATE [ ] 

REMARKS: 

THE IOA IDENTIFIED COMPONENT FAILURES WITHIN A BFC. THE FMEA 
TREATED THE BFC AS A BLACK BOX. THE IOA AGREES THAT FAILURE OF 
THE HALT CONTROLLER ENGAGE DRIVER IS COVERED BY THE BFC LOSS OF 
OUTPUT/ ERRONEOUS OUTPUT FMEA. 
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APPENDIX C 

ASSESSMENT WORKSHEET 


ASSESSMENT DATE: 11/24/87 
ASSESSMENT ID: BFS-205 

NASA FMEA #: 05-5-B3 0-1-2 


NASA DATA: 
BASELINE [ ] 

NEW [ X ] 


SUBSYSTEM: 
MDAC ID: 
ITEM: 


BACKUP FLIGHT SYSTEM 
205 

ENGAGE / DISENGAGE LOGIC 


LEAD ANALYST: L.W. HINSDALE/E. E. PRUST 


ASSESSMENT: 


CRITICALITY 

REDUNDANCY SCREENS 

CIL 

FLIGHT 




ITEM 

HDW/FUNC 

A 

B 

C 


NASA [ 2 /1R ] 

[ F ] 

[ F ] 

[ P 3 

[ x 

IOA [1/1 ] 

[ P ] 

[ F ] 

[ NA] 

[ x 


COMPARE [ N /N ] [ N ] 


[ N ] [ ] 


RECOMMENDATIONS : 

[ / 


(If different from NASA) 

C ] [ ] [ 


[ ] 

(ADD/DELETE) 


* CIL RETENTION RATIONALE: (If applicable) 

ADEQUATE [ X ] 
INADEQUATE [ ] 

REMARKS * 

THE IOA IDENTIFIED COMPONENT FAILURES WITHIN A BFC . THE FMEA 
TREATED THE BFC AS A BLACK BOX. THE IOA AGREES THAT FAILURE OF 
THE ENGAGE/DISENGAGE LOGIC IS COVERED BY THE BFC LOSS OF 
OUTPUT/ERRONEOUS OUTPUT FMEA. 
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APPENDIX C 

ASSESSMENT WORKSHEET 


ASSESSMENT DATE: 11/24/87 
ASSESSMENT ID: BFS-206 

NASA FMEA #: 


NASA DATA: 
BASELINE [ ] 

NEW [ ] 


SUBSYSTEM: 
MDAC ID: 
ITEM: 


BACKUP FLIGHT SYSTEM 
206 

CRT SELECT LOGIC 


LEAD ANALYST: L.W. HINSDALE/E. E.PRUST 


ASSESSMENT: 


CRITICALITY 

REDUNDANCY SCREENS 

CIL 

FLIGHT 




ITEM 

HDW/FUNC 

A 

B 

C 


NASA [ / ] 

[ ] 

[ ] 

[ ] 

[ ] 

IOA [3/3 ] 

[ P ] 

[ P ] 

[ P ] 

[ ] 

COMPARE [ N /N ] 

[ N ] 

[ N ] 

[ N ] 

[ 3 


RECOMMENDATIONS: (If different from NASA) 

[ / ] [ ] [ ] t ] [ ] 

(ADD/DELETE) 

* CIL RETENTION RATIONALE: (If applicable) 

ADEQUATE [ ] 

INADEQUATE [ ] 

REMARKS: 

THE IOA IDENTIFIED COMPONENT FAILURES WITHIN A BFC. THE NASA 
ANALYSIS TREATED THE BFC AS A BLACK BOX. IF NASA GENERATES A 
NON-CIL BFC FMEA, THE IOA SUGGESTS A FUNCTIONAL DESCRIPTION OF 
THE CRT SELECT LOGIC AND AN EXPLANATION OF THE LOSS 
OF OUTPUT/ERRONEOUS OUTPUT FAILURE CONSEQUENCES BE INCLUDED FOR 
COMPLETENESS . 
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APPENDIX C 
ASSESSMENT WORKSHEET 


ASSESSMENT DATE: 11/24/87 
ASSESSMENT ID: BFS-207 

NASA FMEA #: 05-5-B3 0-1-2 


NASA DATA: 
BASELINE [ ] 

NEW [ X ] 


SUBSYSTEM: 
MDAC ID: 
ITEM: 


BACKUP FLIGHT SYSTEM 
207 

BFC POWER SUPPLY (5 VDC) 


LEAD ANALYST: L.W. HINSDALE/E. E.PRUST 

ASSESSMENT: 


CRITICALITY 

REDUNDANCY SCREENS 

CIL 

FLIGHT 




ITEM 

HDW/FUNC 

A 

B 

C 


NASA [ 2 /1R ] 

[ F ] 

[ F ] 

[ P ] 

[ X ] 

IOA [1/1 ] 

[ P ] 

[ F ] 

[ NA] 

[ X ] 

COMPARE [ N /N ] 

[ N ] 

[ ] 

[ N ] 

[ ] 


RECOMMENDATIONS: (If different from NASA) 

[/]'[] t ] C ] [ ] 

(ADD/DELETE) 

* CIL RETENTION RATIONALE: (If applicable) 

ADEQUATE [ X ] 
INADEQUATE [ ] 

REMARKS I 

THE IOA IDENTIFIED COMPONENT FAILUR ES WIT HIN A BFC. THE FMEA 
TREATE D THE BFC AS A BLACK BOX. THE IOA AGREES THAT FAILURE OF 
THE 5 VDC BFC POWER SUPPLY IS COVERED BY THE BFC LOSS OF 
OUTPUT/ ERRONEOUS OUTPUT FMEA. 
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APPENDIX C 

ASSESSMENT WORKSHEET 


ASSESSMENT DATE: 11/24/87 
ASSESSMENT ID: BFS-208 

NASA FMEA #: 05-5-B30-1-2 


NASA DATA: 
BASELINE [ ] 

NEW [ X ] 


SUBSYSTEM: 
MDAC ID: 
ITEM: 


BACKUP FLIGHT SYSTEM 
208 

POWER UP/ DOWN MONITOR LOGIC 


LEAD ANALYST: L.W. HINSDALE/E. E.PRUST 


ASSESSMENT: 


CRITICALITY REDUNDANCY SCREENS CIL 

FLIGHT ITEM 

HDW/FUNC ABC 


NASA 

[ 

2 /1R 

] 

[ F ] [ 

F 

] 

[ 

P ] 

[ 

X 

] * 

IOA 

[ 

1 /I 

] 

[ P ] [ 

F 

] 

[ 

NA] 

[ 

X 

] 

COMPARE 

[ 

N /N 

] 

[ N ] [ 


] 

[ 

N ] 

[ 


] 

RECOMMENDATIONS : 


(If different 

from 

NASA) 






[ 

/ 

] 

[ ] [ 


] 

[ 

] 

[ 

/ a nn 

/r\r 

] 

:»Y tirm? \ 


(ADD/ DELETE) 


* CIL RETENTION RATIONALE: (If applicable) 

ADEQUATE [ X ] 
INADEQUATE [ ] 

REMARKS: 

THE IOA IDENTIFIED COMPONENT FAILURES WITHIN A BFC. THE FMEA 
TREATED THE BFC AS A BLACK BOX. THE IOA AGREES THAT INADVERTENT 
OPERATION OF THE POWER UP/ DOWN MONITOR LOGIC IS COVERED BY THE 
BFC LOSS OF OUTPUT/ERRONEOUS OUTPUT FMEA. 
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APPENDIX C 

ASSESSMENT WORKSHEET 


ASSESSMENT DATE: 11/24/87 
ASSESSMENT ID: BFS-209 

NASA FMEA #: 05-5-B30-1-2 


NASA DATA: 
BASELINE [ ] 

NEW [ X ] 


SUBSYSTEM: 
MDAC ID: 
ITEM: 


BACKUP FLIGHT SYSTEM 
209 

POWER UP/DOWN MONITOR LOGIC 


LEAD ANALYST: L. W. HINSDALE/E. E.PRUST 


ASSESSMENT: 



CRITICALITY 

REDUNDANCY 

SCREENS 


FLIGHT 





HDW/FUNC 

A 

B 

C 

NASA 

[ 2 /1R ] 

[ F ] 

[ F 

3 [ P 3 

IOA 

[1/1 3 

[ P 3 

[ F 

3 [ na] 


CIL 

ITEM 


[ X ] * 
[ X ] 


COMPARE [ N /N ] [ N ] 


[ N ] [ ] 


RECOMMENDATIONS: (If different from NASA) 

[ / ] [ ] [3 C 3 [ 3 

(ADD/DELETE) 


* CIL RETENTION RATIONALE: (If applicable) 

ADEQUATE [ X ] 
INADEQUATE [ ] 

REMARKS: 

THE IOA IDENTIFIED COMPONENT FAILURES WITHIN A BFC. THE FMEA 
TREATED THE BFC AS A BLACK BOX. THE IOA AGREES THAT LOSS OF 
OUTPUT FROM THE POWER UP/DOWN MONITOR LOGIC IS COVERED BY THE BFC 
LOSS OF OUTPUT/ERRONEOUS OUTPUT FMEA. 
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APPENDIX C 

ASSESSMENT WORKSHEET 


i i 


y 



ASSESSMENT DATE: 12/01/87 
ASSESSMENT ID: BFS-210X 

NASA FMEA #: 05-5-B30-1-3 


NASA DATA: 
BASELINE [ ] 

NEW [ X ] 


SUBSYSTEM: 
MDAC ID: 
ITEM: 


BACKUP FLIGHT SYSTEM 
210 

BACKUP FLIGHT CONTROLLER - BFC 2 


LEAD ANALYST: L.W. HINSDALE 


ASSESSMENT: 


CRITICALITY 

REDUNDANCY SCREENS 

CIL 

FLIGHT 




ITEM 

HDW/FUNC 

A 

B 

C 


NASA [ 3 /1R ] 

[ P ] 

[ F ] 

[ P ] 

[ x 

IOA [ 3 /1R ] 

[ P ] 

[ F ] 

[ P ] 

[ x 

COMPARE [ / ] 

[ ] 

[ ] 

[ ] 

[ 


RECOMMENDATIONS: (If different from NASA) 

C / ]' C ] [ 3 [ ] [ ] 

(ADD/ DELETE) 

* CIL RETENTION RATIONALE: (If applicable) 

ADEQUATE [ X ] 
INADEQUATE [ ] 

REMARKS : 

THE IOA AGREES WITH THE NASA ASSESSMENT OF THIS FAILURE MODE. 


m 

Eh! 
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APPENDIX C 

ASSESSMENT WORKSHEET 


ASSESSMENT DATE: 11/24/87 
ASSESSMENT ID: BFS-301 

NASA FMEA #: 05-5-B01-1-1 


NASA DATA: 
BASELINE [ ] 

NEW [ X ] 


SUBSYSTEM: 
MDAC ID: 
ITEM: 


BACKUP FLIGHT SYSTEM 
301 

BACKUP GPC (USUALLY GPC 5) 


LEAD ANALYST : L . W . HINS DALE/ E . E . PRUST 

ASSESSMENT: 



CRITICALITY 

REDUNDANCY 

SCREENS 

CIL 


FLIGHT 





ITEM 


HDW/FUNC 

A 

B 


c 


NASA 

[ 2 /1R ] 

[ P 3 

[ P 

3 

[ p 3 

[ x 

IOA 

[1/1 ] 

[ p ] 

[ F 

3 

[ F ] 

[ X 

COMPARE 

[ N /N ] 

[ 3 

[ N 

3 

[ N ] 

[ 

RECOMMENDATIONS : (If 

different 

from 

NASA) 



[ / ] 

t 3 

[ 

3 

[ 3 

E 


(ADD/ DELETE) 


* CIL RETENTION RATIONALE: (If applicable) 

ADEQUATE [ X ] 
INADEQUATE [ ] 

REMARKS: 

NASA PREPARED SEPARATE FMEAs FOR THE CPU AND IOP. THE IOA 
TREATED THE GPC AS ONE BLACK BOX. 

THE FMEA COUNTED PASS FAILURES IN ADDITION TO THE BFS GPC FAILURE 
WHEN ASSIGNING CRITICALITY. THE IOA ASSIGNED CRITICALITY BASED 
ON THE ASSUMPTION THE BFS WAS OR WOULD BE ENGAGED. 

SINCE BOTH ANALYSIS METHODS CONCLUDE THAT GPC (CPU AND OR IOP) 
LOSS OF OUTPUT IS JUSTIFICATION FOR INCLUSION ON THE CIL, THE IOA 
RECOMMENDS THE FMEA CRITICALITIES BE RETAINED. 
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APPENDIX C 

ASSESSMENT WORKSHEET 


ASSESSMENT DATE: 11/24/87 
ASSESSMENT ID: BFS-301A 

NASA FMEA #: 05-5-B02-1-1 


NASA DATA: 
BASELINE [ ] 

NEW [ X ] 


SUBSYSTEM: 
MDAC ID: 
ITEM: 


BACKUP FLIGHT SYSTEM 
301 

BACKUP GPC (USUALLY GPC 5) 


LEAD ANALYST : L . W . HINSDALE/E . E . PRUST 


ASSESSMENT: 


CRITICALITY 

REDUNDANCY SCREENS 

CIL 

FLIGHT 




ITEM 

HDW/FUNC 

A 

B 

C 


NASA [ 2 /1R ] 

[ P ] 

[ P ] 

[ P ] 

[ x ] 

IOA (1/1 ] 

[ P ] 

[ F ] 

[ F ] 

[ x ] 

COMPARE [ N /N ] 

[ ] 

[ N ] 

[ N ] 

[ ] 


RECOMMENDATIONS: (If different from NASA) 

[ / ] C ] t 1 [ ] [ ] 

(ADD/ DELETE) 


* CIL RETENTION RATIONALE: (If applicable) 

ADEQUATE [ X ] 
INADEQUATE [ ] 

REMARKS: 

NASA PREPARED SEPARATE FMEAs FOR THE CPU AND IOP. THE IOA 
TREATED THE GPC AS ONE BLACK BOX. 

THE FMEA COUNTED PASS FAILURES IN ADDITION TO THE BFS GPC FAILURE 
WHEN ASSIGNING CRITICALITY. THE IOA ASSIGNED CRITICALITY BASED 
ON THE ASSUMPTION THE BFS WAS OR WOULD BE ENGAGED. 

SINCE BOTH ANALYSIS METHODS CONCLUDE THAT GPC (CPU AND OR IOP) 
LOSS OF OUTPUT IS JUSTIFICATION FOR INCLUSION ON THE CIL, THE IOA 
RECOMMENDS THE FMEA CRITICALITIES BE RETAINED. 
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APPENDIX C 

ASSESSMENT WORKSHEET 


ASSESSMENT DATE: 11/24/87 
ASSESSMENT ID: BFS-302 

NASA FMEA #: 05-5-B01-1-2 


NASA DATA: 
BASELINE [ ] 

NEW [ X ] 


SUBSYSTEM: 
MDAC ID: 
ITEM: 


BACKUP FLIGHT SYSTEM 
302 

BACKUP GPC (USUALLY GPC 5) 


LEAD ANALYST: L.W. HINSDALE/E. E.PRUST 


ASSESSMENT : 


CRITICALITY REDUNDANCY SCREENS CIL 



FLIGHT 

HDW/FUNC 

A 

B 

C 

ITEM 

NASA 

[i/i 3 

[ 3 

[ 3 

[ 3 

[ x 

IOA 

[i/i 3 

[ P 3 

[ F ] 

[ F ] 

[ x 

COMPARE 

[ / 3 

[ N ] 

[ N ] 

[ N ] 

[ 


RECOMMENDATIONS: (If different from NASA) 

[ / ] C ] C 3 C 3 [ 3 

(ADD/ DELETE) 


* CIL RETENTION RATIONALE: (If applicable) 

ADEQUATE [ X ] 
INADEQUATE [ ] 


REMARKS: 

NASA P REPA RED SEPARATE F MEAs FOR THE CPU AND IOP t _ THE IQA 
TREATED THE GPC AS ONE BlX£K BOX. " ' 

THE FMEA COUNTED PASS FAILURES IN ADDITION TO THE BFS GPC FAILURE 
WHEN ASSIGNING CRITICALITY. THE IOA ASSIGNED CRITICALITY BASED 
ON THE ASSUMPTION THE BFS WAS OR WOUL D BE ENG AGED. 

SINCE BOTH ANALYSIS METHODS CONCLUDE THAT GPC (CPU AND OR IOP) 
ERRONEOUS OUTPUT IS JUSTIFICATION FOR INCLUSION ON THE CIL, THE 
IOA RECOMMENDS THE FMEA CRITICALITIES BE RETAINED. 
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APPENDIX C 

ASSESSMENT WORKSHEET 


ASSESSMENT DATE: 11/24/87 
ASSESSMENT ID: BFS-302A 

NASA FMEA #: 05-5-B02-1-2 


NASA DATA: 
BASELINE [ ] 

NEW [ X ] 


SUBSYSTEM: 
MDAC ID: 
ITEM: 


BACKUP FLIGHT SYSTEM 
302 

BACKUP GPC (USUALLY GPC 5) 


LEAD ANALYST: L.W. HINSDALE/E. E.PRUST 


ASSESSMENT: 


CRITICALITY 

REDUNDANCY SCREENS 

CIL 

FLIGHT 




ITEM 

HDW/FUNC 

A 

B 

C 


NASA [1/1 ] 

[ ] 

[ ] 

[ ] 

[ X ] 

IOA [1/1 ] 

[ P ] 

[ F ] 

[ F ] 

[ x ] 

COMPARE [ / ] 

[ N ] 

[ N ] 

[ N ] 

[ ] 


RECOMMENDATIONS: (If different from NASA) 


[ / ] [ ] [ ] [ 


[ ] 

(ADD/ DELETE) 


* CIL RETENTION RATIONALE: (If applicable) 

ADEQUATE [ X ] 
INADEQUATE [ ] 


REMARKS: 

NASA PREPARED SEPARATE FMEAs FOR THE CPU AND IOP. THE IOA 


TREATED THE GPC AS ONE BLACK BOX. 

THE FMEA COUNTED PASS FAILURES IN ADDITION TO THE BFS GPC FAILURE 
WHEN ASSIGNING CRITICALITY. THE IOA ASSIGNED CRITICALITY BASED 
ON THE ASSUMPTION THE BFS WAS OR WOULD BE ENGAGED. 

SINCE BOTH ANALYSIS METHODS CONCLUDE THAT GPC (CPU AND OR IOP) 
ERRONEOUS OUTPUT IS JUSTIFICATION FOR INCLUSION ON THE CIL, THE 
IOA RECOMMENDS THE FMEA CRITICALITIES BE RETAINED. 
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APPENDIX C 

ASSESSMENT WORKSHEET 


ASSESSMENT DATE: 11/24/87 
ASSESSMENT ID: BFS-401 

NASA FMEA #: 05-5-B32-1-1 


NASA DATA: 
BASELINE [ ] 

NEW [ X ] 


SUBSYSTEM: 
MDAC ID: 
ITEM: 


BACKUP FLIGHT SYSTEM 
401 

BFS ENGAGE PUSHBUTTON 


LEAD ANALYST: L.W. HINSDALE/E. E.PRUST 


ASSESSMENT: 


CRITICALITY 

REDUNDANCY SCREENS 

CIL 

FLIGHT 




ITEM 

HDW/FUNC 

A 

B 

C 


NASA [ 3 /1R ] 

C P ] 

[ F ] 

[ P ] 

[ x 

IOA [ 2 /1R ] 

C P ] 

C F ] 

[ P ] 

[ x 


COMPARE [ N / 


] 


RECOMMENDATIONS: (If different from NASA) 

[ / ] [][][] [ ] 

(ADD/ DELETE) 


* CIL RETENTION RATIONALE: (If applicable) 

ADEQUATE [ X ] 
INADEQUATE [ ] 

REMARKS: 

THE FMEA COUNTED PASS FAILURES IN ADDITION TO BFS ENGAGE SWITCH 
FAILURES WHEN ASSIGNING CRITI CALIT Y. THE IOA ASSIGNED 
CRITICALITY BASED ON THE ASSUMPTION THE BFS WOULD BE ENGAGED, 
SINCE BOTH ANALYSIS METHODS CONCLUDE THAT OPEN CONTACT FAILURE OF 
THE ENGAGE SWITCH IS JUSTIFICATION FOR INCLUSION ON THE CIL, THE 
IOA RECOMMENDS THE FMEA CRITICALITY BE RETAINED. 
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APPENDIX C 

ASSESSMENT WORKSHEET 


ASSESSMENT DATE: 11/24/87 
ASSESSMENT ID: BFS-402 

NASA FMEA #: 


NASA DATA: 
BASELINE [ ] 

NEW [ ] 


SUBSYSTEM: 
MDAC ID: 
ITEM: 


BACKUP FLIGHT SYSTEM 
402 

BFS ENGAGE PUSHBUTTON 


LEAD ANALYST : L . W . HINSDALE/E . E . PRUST 


ASSESSMENT: 


CRITICALITY 

REDUNDANCY SCREENS 

CIL 

FLIGHT 




ITEM 

HDW/FUNC 

A 

B 

C 


NASA [ / ] 

[ ] 

[ ] 

[ ] 

[ ] 

IOA [3/3 ] 

[ P ] 

[ P ] 

[ NA] 

[ ] 

COMPARE [ N /N ] 

[ N ] 

[ N ] 

[ N ] 

[ ] 


RECOMMENDATIONS: (If different from NASA) 


[ 3 /3 


[ P ] [ P ] [ NA] 


[ ] 

(ADD/DELETE) 


* CIL RETENTION RATIONALE: (If applicable) 

ADEQUATE [ ] 

INADEQUATE [ ] 

REMARKS * 

THE FAIL CLOSED MODE FOR THE ENGAGE PUSHBUTTON CONTACTS WOULD 
CAUSE INADVERTENT BFS ENGAGEMENT. THIS ALONE IS NOT 
JUSTIFICATION FOR INCLUSION ON THE CIL. HOWEVER, THE IOA 
CONSIDERS THIS TO BE A HIGHLY UNDESIRABLE FAILURE AND RECOMMENDS 
IT BE COVERED IN THE UPDATED FMEAs FOR NON-CIL ITEMS. 
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APPENDIX C 

ASSESSMENT WORKSHEET 


ASSESSMENT DATE: 11/24/87 
ASSESSMENT ID: BFS-403 

NASA FMEA #: 


NASA DATA: 
BASELINE [ ] 

NEW [ ] 


SUBSYSTEM: 
MDAC ID: 
ITEM: 


BACKUP FLIGHT SYSTEM 
403 

BFC DISENGAGE SWITCH 


LEAD ANALYST: L.W. HINSDALE/E. E.PRUST 


ASSESSMENT: 



CRITICALITY 

REDUNDANCY 

SCREENS 

CIL 


FLIGHT 

HDW/FUNC 

A 

B 


c 

ITEM 

NASA 

[ / ] 

[ 3 

[ 

3 

[ 3 

C 3 * 

IOA 

[ 3 /2R ] 

[ P 3 

[ F 

3 

[ NA] 

[ 3 

COMPARE 

[ N /N ] 

C N ] 

C N 

3 

[ N ] 

[ 3 

RECOMMENDATIONS : (If 

different 

from 

NASA) 



[ 3 /2R ] 

[ P 3 

[ P 

3 

[ NA] 

[ 3 

(ADD/DELETE) 


* CIL RETENTION RATIONALE: (If applicable) 

ADEQUATE [ ] 

INADEQUATE [ ] 

REMARKS: 

AS A RESULT OF FURTHER REVIEW, THE IOA CONCLUDES THAT THE B 
SCREEN FAILURE SHOULD BE CHANG ED TO PASS. THE IOA RECOMMENDS 
FAIL OPEN MODE FOR THE BFC DISENGAGE SWITCH BE COVERED IN THE 
UPDATED FMEA FOR NON-CIL ITEMS. 


THE 
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APPENDIX C 
ASSESSMENT WORKSHEET 


ASSESSMENT DATE: 11/24/87 
ASSESSMENT ID: BFS-404 

NASA FMEA #: 05-5-B31-1-1 


NASA DATA: 
BASELINE [ ] 

NEW [ X ] 


SUBSYSTEM: 
MDAC ID: 
ITEM: 


BACKUP FLIGHT SYSTEM 
404 

BFC DISENGAGE SWITCH 


LEAD ANALYST: L.W. HINSDALE/E. E.PRUST 


ASSESSMENT: 



CRITICALITY 

REDUNDANCY 

SCREENS 

CIL 


FLIGHT 





ITEM 


HDW/FUNC 

A 

B 


C 


NASA 

[ 2 /1R ] 

[ P ] 

[ F 

] 

[ P ] 

[ X ] * 

IOA 

[1/1 ] 

[ P ] 

[ F 

] 

[ NA] 

[ X ] 

COMPARE 

[ N /N ] 

[ ] 

[ 

] 

[ N ] 

[ 3 

RECOMMENDATIONS : (If 

different 

from 

NASA) 



[ / ] 

[ 3 

[ 

] 

[ ] 

[ ] 







(ADD/ DELETE) 


* CIL RETENTION RATIONALE: (If applicable) 

ADEQUATE [ X ] 
INADEQUATE [ ] 

REMARKS: 

THE FMEA COUNTED PASS FAILURES IN ADDITION TO BFC DISENGAGE 
SWITCH CONTACTS BEING FAILED CLOSED WHEN ASSIGNING CRITICALITY. 
THE IOA ASSIGNED CRITICALITY BASED ON THE ASSUMPTION THE BFS 
WOULD BE ENGAGED. 

SINCE BOTH ANALYSIS METHODS CONCLUDE THAT THE SWITCH FAILURE MODE 
IS JUSTIFICATION FOR INCLUSION ON THE CIL, THE IOA RECOMMENDS THE 
FMEA CRITICALITY BE RETAINED. 
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APPENDIX C 

ASSESSMENT WORKSHEET 


ASSESSMENT DATE: 11/24/87 
ASSESSMENT ID: BFS-405 

NASA FMEA #: 


NASA DATA: 
BASELINE [ ] 

NEW [ ] 


SUBSYSTEM: 
MDAC ID: 
ITEM: 


BACKUP FLIGHT SYSTEM 
405 

BFC CRT DISPLAY SWITCH 


LEAD ANALYST: L.W. HINSDALE/E. E.PRUST 

ASSESSMENT: 


CRITICALITY 

REDUNDANCY SCREENS 

CIL 

FLIGHT 




ITEM 

HDW/FUNC 

A 

B 

C 


NASA [ / ] 

[ ] 

[ ] 

[ ] 

[ ] 

IOA [3/3 ] 

[ P ] 

[ P ] 

[ NA] 

[ ] 

COMPARE [ N /N ] 

[ N ] 

[ N ] 

[ N ] 

[ ] 


RECOMMENDATIONS: (If different from NASA) 

[3/3 ] [ P ] [ P ] [ NA] [ ] 

(ADD/DELETE) 


* CIL RETENTION RATIONALE: (If applicable) 

ADEQUATE [ ] 

INADEQUATE [ ] 

REMARKS: 

THE FAIL OPEN MODE FOR THE BFC CRT DISPLAY SWITCH IS INSUFFICIENT 
FOR INCLUSION ON THE CIL. THE IOA RECOMMENDS IT BE COVERED IN 
THE UPDATED FMEAs FOR NON-CIL ITEMS. 
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APPENDIX C 

ASSESSMENT WORKSHEET 


ASSESSMENT DATE: 11/24/87 
ASSESSMENT ID: BFS-406 

NASA FMEA #: 


NASA DATA: 
BASELINE [ ] 

NEW [ ] 


SUBSYSTEM: 
MDAC ID: 
ITEM: 


BACKUP FLIGHT SYSTEM 
406 

BFC CRT SELECT SWITCH 


LEAD ANALYST: L.W. HINSDALE/E. E.PRUST 


ASSESSMENT : 


CRITICALITY 

REDUNDANCY SCREENS 

CIL 

FLIGHT 




ITEM 

HDW/FUNC 

A 

B 

c 


NASA [ / ) 

[ 3 

[ 3 

[ 3 

[ 3 

IOA [3/3 3 

[ P 3 

[ p 3 

[ NA] 

[ 3 

IPARE [ N /N ] 

C N ] 

[ N 3 

[ N ] 

[ 3 


RECOMMENDATIONS: (If different from NASA) 

[3/3 ] [ P 3 [ P 3 [ NA] [3 

(ADD/DELETE) 


* CIL RETENTION RATIONALE: (If applicable) 

ADEQUATE [ ] 

INADEQUATE [ ] 


REMARKS: 

THE FAIL OPEN, FAIL TO SWITCH, AND ERRONEOUS OUTPUT MODES FOR THE 
BFC CRT SELECT SWITCH ARE INSUFFICIENT FOR INCLUSION ON THE CIL. 
THE IOA RECOMMENDS THEY BE COVERED IN THE UPDATED FMEAs FOR NON- 
CIL ITEMS. 

3/3. 
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APPENDIX C 
ASSESSMENT WORKSHEET 


ASSESSMENT DATE: 11/24/87 
ASSESSMENT ID: BFS-407 

NASA FMEA #: 05-6S-BSW7-1 


NASA DATA: 
BASELINE [ ] 

NEW [ X ] 


SUBSYSTEM: 
MDAC ID: 
ITEM: 


BACKUP FLIGHT SYSTEM 
407 

BFS GPC (USUALLY GPC 5) POWER SWITCH 


LEAD ANALYST: L.W. HINSDALE/E. E. PRUST 


ASSESSMENT: 


CRITICALITY REDUNDANCY SCREENS CIL 



FLIGHT 

HDW/FUNC 

A 

B 

c 

ITEM 

NASA 

[ 2 /1R ] 

[ P 3 

[ p 3 

[ P 3 

[ X ] * 

IOA 

[ 1 /I 3 

[ P 3 

[ P 3 

[ F ] 

[ X ] 

COMPARE 

[ N /N ] 

[ 3 

[ 3 

[ N ] 

[ 3 

RECOMMENDATIONS : 

(If different from 

NASA) 



[ / 3 

[ 3 

[ 3 

[ 3 

[ 3 

/ a nn /nr’T Tp'T'T? \ 


(ADD/ DELETE) 


* CIL RETENTION RATIONALE: (If applicable) 

ADEQUATE [ X ] 
INADEQUATE [ ] 

REMARKS: 

THE FMEA COUNTED A GENERIC PASS FAILURE IN ADDITION TO BFS GPC 
SWITCH FAILURE WHEN ASSIGNING CRITICALITY. THE IOA ASSIGNED 
CRITICALITY BASED ON THE ASSUMPTION BFS WAS OR WOULD BE ENGAGED. 
SINCE BOTH ANALYSIS METHODS CONCLUDE THAT GPC POWER SWITCH FAIL 
OPEN CONTACTS IS SUFFICIENT JUSTIFICATION FOR INCLUSION ON THE 
CIL, THE IOA RECOMMENDS THE FMEA CRITICALITY BE RETAINED. 


REPORT DATE 02/22/88 


C-26 


APPENDIX C 
ASSESSMENT WORKSHEET 


ASSESSMENT DATE: 11/30/87 
ASSESSMENT ID: BFS-408 

NASA FMEA #: 05-5-B15-1-1 


NASA DATA: 
BASELINE [ ] 

NEW [ X ] 


SUBSYSTEM: 
MDAC ID: 
ITEM: 


BACKUP FLIGHT SYSTEM 
408 

BFS GPC (USUALLY GPC 5) OUTPUT SWITCH 


LEAD ANALYST: L.W.HINSDALE/E.E.PRUST 


ASSESSMENT: 


CRITICALITY 

REDUNDANCY SCREENS 

CIL 

FLIGHT 




ITEM 

HDW/FUNC 

A 

B 

C 


NASA [ 2 /1R ] 

[ P ] 

[ F ] 

[ P ] 

[ x 

IOA [1/1 ] 

[ P ] 

[ P ] 

[ F ] 

[ x 

COMPARE [ N /N ] 

[ ] 

[ N ] 

[ N ] 

[ 


RECOMMENDATIONS: (If different from NASA) 

[73 [][][] [ ] 

(ADD/ DELETE) 

* CIL RETENTION RATIONALE: (If applicable) 

ADEQUATE [ X ] 
INADEQUATE [ ] 

REMARKS: 

THE FMEA COUNTED PASS GENERIC FAILURE IN ADDITION TO BFS GPC 
OUTPUT SWITCH FAILURE WHEN ASSIGNING CRITICALITY. THE IOA 
ASSIGNED CRITICALITY BASED ON THE ASSUMPTION THE BFS WOULD BE 
ENGAGED. 

SINCE BOTH ANALYSIS METHODS CONCLUDE THAT ERRONEOUS OPERATION OF 
THE GPC OUTPUT SWITCH IS JUSTIFICATION FOR INCLUSION ON THE CIL, 
THE IOA RECOMMENDS THE FMEA CRITICALITY BE RETAINED. 


REPORT DATE 02/22/88 


C-27 



APPENDIX C 
ASSESSMENT WORKSHEET 


ASSESSMENT DATE: 11/30/87 
ASSESSMENT ID: BFS-409 

NASA FMEA #: 05-5-B17-1-1 


NASA DATA: 
BASELINE [ ] 

NEW [ X ] 


SUBSYSTEM: 
MDAC ID: 
ITEM: 


BACKUP FLIGHT SYSTEM 
409 

BFS GPC (USUALLY GPC 5) MODE SWITCH 


LEAD ANALYST: L.W. HINSDALE/E. E.PRUST 


ASSESSMENT: 



CRITICALITY 

REDUNDANCY 

SCREENS 

CIL 


FLIGHT 

HDW/FUNC 

A 

B 



C 

ITEM 

NASA 

[ 2 /1R ] 

[ P ] 

[ F 

] 

[ 

P 1 

[ X ] * 

IOA 

[1/1 ] 

[ P ] 

[ P 

] 

C 

F ] 

[ X ] 

COMPARE 

[ N /N ] 

[ ] 

[ N 

] 

C 

N ] 

[ ] 

RECOMMENDATIONS : (If 

different 

from 

NASA) 




[ / ] 

[ ] 

[ 

] 

[ 

] 

[ '] 







(ADD/ DELETE) 


* CIL RETENTION RATIONALE: (If applicable) 

ADEQUATE [ X ] 
INADEQUATE [ ] 

REMARKS ! 

THE FMEA COUN TED PASS GENERIC FAILU RE IN ADDITION TO BFS jSPC MODE 
SWITCH FAILURE WHEN ASSIGNING CRITICALITY. THE IOA ASSIGNED 
CRITICALITY BASED ON THE ASSUMPTION THE BFS WOULD BE ENGAGED. 
SINCE BOTH ANALYSIS METHODS CONCLUDE THAT ERRONEOUS OPERATION OF 
THE GPC MODE SWITCH IS JUSTIFICATION FOR INCLUSION ON THE CIL, 

THE IOA RECOMMENDS THE FMEA CRITICALITY BE RETAINED. 


REPORT DATE 02/22/88 


C-28 


APPENDIX C 
ASSESSMENT WORKSHEET 


ASSESSMENT DATE: 
ASSESSMENT ID: 
NASA FMEA #: 


11/30/87 

BFS-501 

05-6Q-2103A-1 


NASA DATA: 
BASELINE [ ] 

NEW [ X ] 


SUBSYSTEM: 
MDAC ID: 
ITEM: 

TO L(R) DDU 


BACKUP FLIGHT SYSTEM 
501 

CIRCUIT BREAKER, 7.5 AMP. - MAIN A (B,C) SUPPLY 


LEAD ANALYST: L.W. HINSDALE/E . E . PRUST 

ASSESSMENT: 


CRITICALITY 

REDUNDANCY SCREENS 

CIL 

FLIGHT 




ITEM 

HDW/FUNC 

A 

B 

C 


NASA [ 3 /1R ] 

[ P ] 

[ F ] 

[ P ] 

[ x ] 

IOA [ 3 /1R ] 

[ P ] 

[ P ] 

t P ] 

[ x ] 

COMPARE [ / ] 

[ ] 

[ N ] 

[ ] 

[ ] 


RECOMMENDATIONS: (If different from NASA) 

[ / ] [][][] [ ] 

(ADD/ DELETE) 

* CIL RETENTION RATIONALE: (If applicable) 

ADEQUATE [ X ] 
INADEQUATE [ ] 

REMARKS z 

THE IOA BFS ANALYSIS AGREES WITH THE BASELINE FMEA (EPD&C- 
D&C SUBSYSTEM) . 


REPORT DATE 02/22/88 


C-29 



APPENDIX C 

ASSESSMENT WORKSHEET 


ASSESSMENT DATE: 11/30/87 
ASSESSMENT ID: BFS-501A 

NASA FMEA #: 05-6Q-2103B-1 


NASA DATA: 
BASELINE [ ] 

NEW [ X ] 


SUBSYSTEM: 
MDAC ID: 
ITEM: 

TO L(R) DDU 


BACKUP FLIGHT SYSTEM 
501 

CIRCUIT BREAKER, 7.5 AMP. - MAIN A (B,C) SUPPLY 


LEAD ANALYST: L.W. HINSDALE/E. E. PRUST 


ASSESSMENT: 


CRITICALITY REDUNDANCY SCREENS 

FLIGHT 

HDW/FUNC ABC 


CIL 

ITEM 


NASA [ 3 /1R ] 
IOA [ 3 /1R ] 


[ P ] [ F ] [ P ] 

[ P ] IP] [ P ] 


[ X ] * 

[ X 3 


COMPARE [ / 


N 


] 


RECOMMENDATIONS: (If different from NASA) 


[ / 3 [][][] [ 3 

(ADD/ DELETE) 


* CIL RETENTION RATIONALE: (If applicable) 

ADEQUATE [ X ) 
INADEQUATE [ ) 

REMARKS: 

THE IOA BFS ANALYSIS AGREES WITH THE BASELINE FMEA (EPD&C- 
D&C SUBSYSTEM) . 


REPORT DATE 02/22/88 


C-30 


APPENDIX C 

ASSESSMENT WORKSHEET 


ASSESSMENT DATE: 11/30/87 NASA DATA: 

ASSESSMENT ID: BFS-502 BASELINE [ ] 

NASA FMEA #: 05-6S-BFUS4-1 NEW [ X ] 

SUBSYSTEM: BACKUP FLIGHT SYSTEM 

MDAC ID: 502 

ITEM: FUSE F9 , 1 AMP. - CNTL BUS AB3 SUPPLY TO 

DISENGAGE SWITCH AND BFC MODULES 1A & IB (HCED & ENGAGE LOGIC) 

LEAD ANALYST: L.W.HINSDALE/E.E.PRUST 

ASSESSMENT: 



CRITICALITY 


REDUNDANCY 

SCREENS 

CIL 


FLIGHT 

HDW/FUNC 


A 

B 



C 

ITEM 

NASA 

[ 2 /1R ] 

[ 

P ] [ 

F 

] 

[ 

P ] 

[ x 

IOA 

[1/1 ] 

[ 

P ] [ 

F 

] 

[ 

F ] 

[ x 

COMPARE 

[ N /N ] 

[ 

] [ 


] 

[ 

N ] 

[ 

RECOMMENDATIONS : (If 

different 

from 

NASA) 




[ / ] 

[ 

] C 


] 

[ 

] 

[ 


(ADD/ DELETE) 

* CIL RETENTION RATIONALE: (If applicable) 

ADEQUATE [ X ] 
INADEQUATE [ ] 

REMARKS l 

ONE FMEA COVERS FUSES F9, F10, AND Fll. THE IOA PREPARED 
SEPARATE ANALYSIS WORKSHEETS FOR EACH FUSE BECAUSE THE FAILURE 
EFFECTS ARE DIFFERENT. THE IOA AGREES THAT FAIL OPEN OF FUSE Fll 
(CIRCUIT PROTECTION FOR CONTROL BUS CA1) RESULTS IN LOSS OF 
ABILITY TO ENGAGE BFS; * ' IF EITHER F9 OR FlO (CIRCUIT PROTECTION 
FOR CONTROL BUS AB3 ) FAILS OPEN, THE ABILITY TO ENGAGE BFS EXISTS 
BUT THE AUTOMATIC DISENGAGE OF GPCs THAT INTERFACE WITH MODULES A 
AND B IN BFC 1 (NORMALLY" GPCs 1 AND 4) AND MODULE A 
IN BFC 2 (NORMALLY GPC 2) IS LOST, I.E., A FORCE FIGHT BETWEEN 
THE BFS GPC AND THREE PASS GPCs COULD DEVELOP. 

SINCE BOTH ANALYSIS METHODS CONCLUDE THAT OPEN FAILURE OF THE 
FUSES IS JUSTIFICATION FOR INCLUSION ON THE CIL, THE IOA 
RECOMMENDS THE FMEA CRITICALITY BE RETAINED. 


REPORT DATE 02/22/88 


C-31 



APPENDIX C 

ASSESSMENT WORKSHEET 


ASSESSMENT DATE: 11/30/87 NASA DATA: 

ASSESSMENT ID: BFS-503 BASELINE [ ] 

NASA FMEA #: 05-6S-BFUS4-1 NEW [ X ] 

SUBSYSTEM: BACKUP FLIGHT SYSTEM 

MDAC ID: 503 

ITEM: FUSE F10, 1 AMP. - CNTL BUS AB3 SUPPLY TO 

DISENGAGE SWITCH AND BFC MODULE 2A - HCED & ENGAGE LOGIC 

LEAD ANALYST: L. W. HINSDALE/E. E.PRUST 


ASSESSMENT: 


CRITICALITY 

REDUNDANCY SCREENS 

CIL 

FLIGHT 




ITEM 

HDW/FUNC 

A 

B 

c 


NASA [ 2 /1R ] 

[ P ] 

[ F ] 

[ P 3 

[ x 

IOA [1/1 ] 

[ P 3 

[ F ] 

[ F ] 

[ x 

COMPARE [ N /N ] 

[ 3 

C 3 

[ N ] 

[ 


RECOMMENDATIONS : 

(If different from NASA) 


[ / 

3 C 

3 C 3 C 1 

[ 3 


(ADD/ DELETE) 

* CIL RETENTION 

RATIONALE : 

(If applicable) 



ADEQUATE [ X ] 
INADEQUATE [ ] 

REMARKS: 

ONE FMEA COVERS FUSES F9, F10, AND FIX. THE IOA PREPARED 
SEPARATE ANALYSIS WORKSHEETS FOR EACH FUSE BECAUSE THE FAILURE 
EFFECTS ARE DIFFERENT. THE IOA AGREES THAT FAIL OPEN OF FUSE Fll 
(CIRCUIT PROTECTION FOR CONTROL BUS CA1) RESULTS IN LOSS OF 
ABILITY TO ENGAGE BFS. IF EITHER F9 OR FiO (CIRCUIT PROTECTION 
FOR CONTROL BUS AB3) FAILS OPEN, THE ABILITY TO ENGAGE BFS EXISTS 
BUT THE AUTOMATIC DISENGAGE _OF GPCs THAT INTERFA CE WITH MODULES A 
AND B IN BFC 1 (NORMALLY GPCs 1 AND 4) AND MODUL E A 
IN BFC 2 (NORMALLY GPC 2) IS LOST, I.E., A FORCE FIGHT BETWEEN 
THE BFS GPC AND THREE PASS GPCs COULD DEVELOP. 

SINCE BOTH ANALYSIS METHODS CONCLUDE THAT OPEN FAILURE OF THE 
FUSES IS JUSTIFICATION FOR INCLUSION ON THE CIL, THE IOA 
RECOMMENDS THE FMEA CRITICALITY BE RETAINED. 


REPORT DATE 02/22/88 


C-32 


APPENDIX C 

ASSESSMENT WORKSHEET 


ASSESSMENT DATE: 11/30/87 NASA DATA: 

ASSESSMENT ID: BFS-504 BASELINE [ ] 

NASA FMEA #: 05-6S-BFUS4-1 NEW [ X ] 

SUBSYSTEM: BACKUP FLIGHT SYSTEM 

MDAC ID: 504 

ITEM: FUSE Fll , 1 AMP. - CNTL BUS CA1 SUPPLY TO 

DISENGAGE SWITCH AND BFC MODULES 2B, 3A, 3B - HCED & ENGAGE LOGIC 

LEAD ANALYST : L . W . HINS DALE/E . E . PRUST 

ASSESSMENT : 

CRITICALITY REDUNDANCY SCREENS CIL 



FLIGHT 

HDW/FUNC 

A 

B 



C 

ITEM 

NASA 

C 2 /1R ] 

[ P ] [ 

F 

] 

[ 

P 3 

[ X ] * 

IOA 

[1/1 ] 

[ P ] [ 

F 

] 

[ 

F ] 

[ x ] 

COMPARE 

[ N /N ] 

[ ] [ 


] 

[ 

N ] 

[ ] 

RECOMMENDATIONS : 

(If different 

from 

NASA) 




[ / 3 

[ ] [ 


] 

[ 

] 

[ ] 








(ADD/ DELETE) 


* CIL RETENTION RATIONALE: (If applicable) 

ADEQUATE [ X ] 
INADEQUATE [ ] 

REMARKS : 

ONE FMEA COVERS FUSES F9 , F10, AND Fll. THE IOA PREPARED 
SEPARATE ANALYSIS WORKSHEETS FOR EACH FUSE BECAUSE THE FAILURE 
EFFECTS ARE DIFFERENT. THE IOA AGREES THAT FAIL OPEN OF FUSE Fll 
(CIRCUIT PROTECTION FOR CONTROL BUS CA1) RESULTS IN LOSS OF 
ABILITY TO ENGAGE BFS . IF EITHER F9 OR F10 (CIRCUIT PROTECTION 
FOR CONTROL BUS AB3 ) FAILS OPEN, THE ABILITY TO ENGAGE BFS EXISTS 
BUT THE AUTOMATIC DISENGAGE OF GPCs THAT INTERFACE WITH MODULES A 
AND B IN BFC 1 (NORMALLY GPCs 1 AND 4) AND MODULE A 
IN BFC 2 (NORMALLY GPC 2) IS LOST, I.E., A FORCE FIGHT BETWEEN 
THE BFS GPC AND THREE PASS GPCs COULD DEVELOP. 

SINCE BOTH ANALYSIS METHODS CONCLUDE THAT OPEN FAILURE OF THE 
FUSES IS JUSTIFICATION FOR INCLUSION ON THE CIL, THE IOA 
RECOMMENDS THE FMEA CRITICALITY BE RETAINED. 


REPORT DATE 02/22/88 


C-33 



APPENDIX C 

ASSESSMENT WORKSHEET 


ASSESSMENT DATE: 11/30/87 
ASSESSMENT ID: BFS-505 

NASA FMEA #: 05-6S-BFUS3-1 


NASA DATA: 
BASELINE [ ] 

NEW [ X ] 


SUBSYSTEM: BACKUP FLIGHT SYSTEM 

MDAC ID: 505 

ITEM: FUSE F49, 3 AMP. - ESS BUS 3AB SUPPLY TO GPC 

OUTPUT SWITCHES (BACKUP & NORMAL DISCRETES) 


LEAD ANALYST: 
ASSESSMENT : 


L. W . HINSDALE/E . E . PRUST 


CRITICALITY 

REDUNDANCY SCREENS 

CIL 

FLIGHT 




ITEM 

HDW/FUNC 

A 

B 

c 


NASA [ 2 /1R ] 

[ P ] 

[ F ] 

[ P 3 

[ X ] 

IOA [1/1 ] 

[ P 3 

[ P 3 

[ F ] 

[ x ] 

COMPARE [ N /N ] 

[ 3 

[ N ] 

[ N ] 

[ 3 


RECOMMENDATIONS : 

[ / 


(If different from NASA) 

C ] [ ] C 


[ ] 

(ADD/DELETE) 


* CIL RETENTION RATIONALE: (If applicable) 

ADEQUATE [ X ] 
INADEQUATE [ ] 

REMARKS : 

THE FMEA COUNTED PASS GENERIC FAILURE IN ADDITION TO THE FUSE 
FAILURE WHEN ASSIGNING CRITICALITY. THE IOA ASSIGNED CRITICALITY 
BASED ON THE ASSUMPTION THE BFS WAS OR WOULD BE ENGAGED. 

SINCE BOTH ANALYSIS METHODS CONCLUDE THAT FUSE F49 FAILED OPEN 
MODE IS JUSTIFICATION FOR INCLUSION ON THE CIL, THE IOA 
RECOMMENDS THE FMEA CRITICALITY BE RETAINED. 


REPORT DATE 02/22/88 


C-34 


APPENDIX C 

ASSESSMENT WORKSHEET 


ASSESSMENT DATE: 12/18/86 
ASSESSMENT ID: BFS-506 

NASA FMEA #: 


NASA DATA: 
BASELINE [ ] 

NEW [ ] 


SUBSYSTEM: 

MDAC ID: 

ITEM: 

(USUALLY GPC 5) 


BACKUP FLIGHT SYSTEM 
506 

FUSE, 3 AMP. - ESS BUS SUPPLY TO BFS GPC 
POWER SWITCH 


LEAD ANALYST: L.W. HINSDALE/E. E.PRUST 


ASSESSMENT: 


CRITICALITY 

REDUNDANCY SCREENS 

CIL 

FLIGHT 




ITEM 

HDW/FUNC 

A 

B 

C 


NASA [ / ] 

[ ] 

[ ] 

[ 3 

[ 3 

IOA [ 3 /1R ] 

[ P ] 

[ P ] 

[ P 3 

[ 3 

COMPARE [ N /N ] 

[ N ] 

[ N ] 

[ N ] 

[ 3 


* 


RECOMMENDATIONS: (If different from NASA) 

[ 3 /1R ] [ P ] [ P ] [ P ] [ ] 

(ADD/DELETE) 

* CIL RETENTION RATIONALE: (If applicable) 

ADEQUATE [ ] 

INADEQUATE [ ] 

REMARKS: 

THE IOA RECOMMENDS A FUNCTIONAL DESCRIPTION OF THE REDUNDANT 
FUSES AND AN EXPLANATION OF THE FAIL OPEN CONSEQUENCES BE 
INCLUDED FOR COMPLETENESS IN THE UPDATED FMEAs FOR NON-CIL ITEMS. 
THE IOA RECOMMENDS THAT A FMEA BE CREATED FOR THIS FAILURE 

MODE. 


REPORT DATE 02/22/88 


C-35 



APPENDIX C 

ASSESSMENT WORKSHEET 


ASSESSMENT DATE: 
ASSESSMENT ID: 
NASA FMEA #: 


12/01/87 

BFS-507X 

05-6S-BD102-1 


NASA DATA: 
BASELINE [ ] 

NEW [ X ] 


SUBSYSTEM: 
MDAC ID: 
ITEM: 


BACKUP FLIGHT SYSTEM 
507 

DIODE, MAIN BUS ISOLATION TO BFS GPC AND BFC 


LEAD ANALYST: 


L.W. HINSDALE 


ASSESSMENT: 



CRITICALITY 

REDUNDANCY 

SCREENS 

CIL 


FLIGHT 






ITEM 


HDW/FUNC 

A 

B 



C 


NASA 

[ 3 /1R ] 

[ P 3 [ 

F 

3 

[ 

p 3 

[ X ] * 

IOA 

[ 3 /1R ] 

[ P 3 [ 

F 

3 

[ 

p 3 

[ X ] 

COMPARE 

[ / ] 

[ 3 t 


3 

[ 

3 

[ 3 

RECOMMENDATIONS : (If 

different 

from 

NASA) 




[ / ] 

[ 3 [ 


3 

[ 

■ 3 

[ 3 

/ * r\Pv /TM?T T7mT? \ 


(ADD/ DELETE) 


* CIL RETENTION RATIONALE: (If applicable) 

ADEQUATE [ X J 
INADEQUATE [ ] 

REMARKS: 

THE IOA AGREES WITH THE NASA ASSESSMENT OF THIS FAILURE MODE. 


REPORT DATE 02/22/88 
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APPENDIX C 
ASSESSMENT WORKSHEET 


ASSESSMENT DATE: 
ASSESSMENT ID: 
NASA FMEA #: 


12/01/87 

BFS-508X 

05-6S-BD102-3 


NASA DATA: 
BASELINE [ ] 

NEW [ X ] 


SUBSYSTEM: 
MDAC ID: 
ITEM: 


BACKUP FLIGHT SYSTEM 
508 

DIODE, MAIN BUS ISOLATION TO BFS GPC AND BFC 


LEAD ANALYST: L.W. HINSDALE 


ASSESSMENT: 


CRITICALITY REDUNDANCY SCREENS CIL 



FLIGHT 

HDW/FUNC 

A 


B 

C 

ITEM 

NASA 

C 3 /1R ] 

[ P 

] [ 

F ] 

[ P 3 

[ x 

IOA 

[ 3 /1R ] 

[ P 

] [ 

F ] 

[ P 3 

[ x 

COMPARE 

[ / ] 

c 

3 [ 

3 

[ 3 

[ 

RECOMMENDATIONS : 

(If different 

from NASA) 



[ / ] 

[ 

3 C 

3 

[ 3 

[ 


(ADD/ DELETE) 

* CIL RETENTION RATIONALE: (If applicable) 

ADEQUATE [ X ] 
INADEQUATE [ ] 

REMARKS: 

THE IOA AGREES WITH THE NASA ASSESSMENT OF THIS FAILURE MODE. 


REPORT DATE 02/22/88 


C-37 



APPENDIX C 
ASSESSMENT WORKSHEET 


ASSESSMENT DATE: 
ASSESSMENT ID: 
NASA FMEA #: 


12/01/87 

BFS-509X 

05-6S-BFUS5-1 


NASA DATA: 
BASELINE [ ] 

NEW [ X ] 


SUBSYSTEM: 
MDAC ID: 

ITEM: 

POWER MONITOR 


BACKUP FLIGHT SYSTEM 
509 

FUSE F28 , 5 AMP - MAIN BUS SUPPLY TO BFS BFC 
LOGIC 


LEAD ANALYST: L.W. HINSDALE 


ASSESSMENT : 


CRITICALITY 

REDUNDANCY 

SCREENS 


CIL 



FLIGHT 







ITEM 


HDW/FUNC 

A 


B 


C 




NASA 

[ 2 /1R ] 

[ P ] 

[ 

P 

] 

[ P ] 


[ x 

3 * 

IOA 

[1/1 ] 

[ P ] 

[ 

P 

] 

[ P ] 


[ x 

3 

COMPARE 

[ N /N ] 

[ ] 

( 


] 

[ ] 


[ 

3 

RECOMMENDATIONS : (If 

different 

from 

NASA) 





[ / 3 

[ ] 

[ 


] 

[ 3 


[ 

3 







(ADD/ DELETE) 

* CIL RETENTION RATIONALE: (If 

applicable) 










ADEQUATE 

[ x 

3 







INADEQUATE 

[ 

3 

REMARKS: 










THE FMEA 

COUNTED PASS 

GENERIC 

FAILURE 

IN ADDITION 

TO 

THE 

FUSE 


FAILED OPEN MODE WHEN ASSIGNING CRITICALITY. THE IOA ASSIGNED 
CRITICALITY BASED ON THE ASSUMPTION THE BFS HAS BEEN OR WILL BE 
ENGAGED. 

SINCE BOTH ANALYSIS METHODS CONCLUDE THAT OPEN FAILURE OF THE 
FUSE IS JUSTFICATION FOR INCLUSION ON THE CIL, THE IOA RECOMMENDS 
THE FMEA CRITICALITY BE RETAINED. 


REPORT DATE 02/22/88 
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APPENDIX C 
ASSESSMENT WORKSHEET 


ASSESSMENT DATE: 
ASSESSMENT ID: 
NASA FMEA #: 


12/18/86 

BFS-601 

05-8 -BFSO 10-0 001 


NASA DATA: 
BASELINE [ ] 

NEW [ X ] 


SUBSYSTEM: 
MDAC ID: 
ITEM: 


BACKUP FLIGHT SYSTEM 
601 

BFC ENGAGE LIGHT 


LEAD ANALYST: L.W. HINSDALE/E . E . PRUST 

ASSESSMENT: 


3 



CRITICALITY REDUNDANCY SCREENS 

FLIGHT 

HDW/FUNC ABC 


CIL 

ITEM 


NASA [ 3 /3 ] [ P ] [ P ] [ P ] 

IOA [3/3 ] [ P ] [ P ] [ P ] 


[ ] * 

[ ] 


COMPARE [ / 


] 


RECOMMENDATIONS: (If different from NASA) 

[ / ] [][][] [3 

(ADD/DELETE) 

* CIL RETENTION RATIONALE: (If applicable) 

ADEQUATE [ ] 

INADEQUATE [ ] 

REMARKS: 

THE NASA ANALYSIS AND THE IOA AGREE COMPLETELY. 


E3 
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APPENDIX C 

ASSESSMENT WORKSHEET 


ASSESSMENT DATE: 
ASSESSMENT ID: 
NASA FMEA #: 


12/18/86 

BFS-602 

05-8-BFS010-0002 


NASA DATA: 
BASELINE [ X ] 
NEW [ ] 


SUBSYSTEM: 
MDAC ID: 
ITEM: 


BACKUP FLIGHT SYSTEM 
602 

BFC ENGAGE LIGHT 


LEAD ANALYST: L.W. HINSDALE/E. E. PRUST 


ASSESSMENT: 


CRITICALITY REDUNDANCY SCREENS CIL 



FLIGHT 

HDW/FUNC 

A 

B 

c 


ITEM 

NASA 

[3/3 ] 

[ P ] [ 

P 3 

[ p 

] 

[ 3 * 

IOA 

[3/3 ] 

[ P ] [ 

P 3 

[ p 

3 

[ 3 

COMPARE 

[ / ] 

[ ] [ 

3 

[ 

3 

[ 3 

RECOMMENDATIONS : 

(If different 

from NASA) 


. 


[ / ] 

[ 3 [ 

] 

[ 

3 

[ 3 

(ADD/ DELETE) 


* CIL RETENTION RATIONALE: (If applicable) 

ADEQUATE [ ] 

INADEQUATE [ ] 

REMARKS I 

THE NASA ANALYSIS AND THE IOA AGREE COMPLETELY. 


REPORT DATE 02/22/88 
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APPENDIX C 
ASSESSMENT WORKSHEET 


ASSESSMENT DATE: 
ASSESSMENT ID: 
NASA FMEA #: 


12/18/86 

BFS-1001X 

05-8-BFS003-0001 


NASA DATA: 
BASELINE [ X ] 
NEW [ ] 


SUBSYSTEM: 
MDAC ID: 
ITEM: 


BACKUP FLIGHT SYSTEM 
1001 

INERTIAL MEASUREMENT UNIT (IMU) 


LEAD ANALYST: L.W. HINSDALE/E . E . PRUST 


ASSESSMENT: 


CRITICALITY 

REDUNDANCY SCREENS 

CIL 

FLIGHT 




ITEM 

HDW/FUNC 

A 

B 

C 


NASA [1/1 ] 

[ NA] 

[ NA] 

[ NA] 

[ X ] 

IOA [1/1 ] 

[ NA] 

[ F ] 

[ P ] 

[ x ] 

COMPARE [ / ] 

[ ] 

[ N ] 

[ N ] 

[ ] 


RECOMMENDATIONS: (If different from NASA) 

[ / ] C ] C ] [ ] [ ] 

(ADD/DELETE) 


* CIL RETENTION RATIONALE: (If applicable) 

"-T" ADEQUATE [ X ] 

INADEQUATE [ ] 

REMARKS: 

THE IOA AGREES WITH THE NASA ASSESSMENT OF THE EFFECT OF 
THIS FAILURE. 

HOWEVER, THE FAILURE MODE ANALYZED IS A SOFTWARE FAILURE, 
AND IS OUTSIDE THE SCOPE OF A HARDWARE ANALYSIS. 


REPORT DATE 02/22/88 
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APPENDIX C 
ASSESSMENT WORKSHEET 


ASSESSMENT DATE: 
ASSESSMENT ID: 
NASA FMEA #: 


12/18/86 
BFS-2001X 
0 5-8 -BFS 012-1 


NASA DATA: 
BASELINE [ X ] 
NEW [ ] 


SUBSYSTEM: 
MDAC ID: 
ITEM: 


BACKUP FLIGHT SYSTEM 
2001 

AIR DATA TRANSDUCER ASSEMBLY (ADTA) 


LEAD ANALYST: L.W. HINS DALE/E. E. PRUST 


ASSESSMENT: 



CRITICALITY 

REDUNDANCY SCREENS 

CIL 


FLIGHT 




ITEM 


HDW/FUNC 

A 

B 

C 


NASA 

[ 2 /1R ] 

[ NA] 

[ NA] 

[ NA] 

C x ] 

IOA 

(1/1 ] 

[ P ] 

C F ] 

[ P ] 

[ X ] 

COMPARE 

[ N /N ] 

[ N ] 

[ N ] 

[ N ] 

( 1 

RECOMMENDATIONS : (If 

different 

from 

NASA) 



* 


[/][][][] 11 

(ADD/ DELETE) 

* CIL RETENTION RATIONALE: (If applicable) 

ADEQUATE [ X ] 
INADEQUATE [ ] 

REMARKS t 

THE IOA AGREES WITH THE NASA ASSESSMENT OF THIS FAILURE. 

THE DIFFERENCE IN CRITICALITY IS DUE TO A DIFFERENCE IN 
INTERPRETATION OF FMEA/ CIL PREPARATION INSTRUCTIONS. 

HOWEVER, THE IOA BELI EVES THAT THIS HARDWARE IS OUTSIDE THE 
SCOPE OF THE BACKUP FLIGHT SYSTEM, AND SHOULD INSTEAD BE DEALT 
WITH IN THE GN&C SUBSYSTEM FMEAs . 


REPORT DATE 02/22/88 
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APPENDIX C 
ASSESSMENT WORKSHEET 


ASSESSMENT DATE: 12/18/86 NASA DATA: 

ASSESSMENT ID: BFS-2002X BASELINE [ X ] 

NASA FMEA #: 05-8-BFS013-1 NEW [ ] 

SUBSYSTEM: BACKUP FLIGHT SYSTEM 

MDAC ID: 2002 

ITEM: PROBE (AIR DATA) 

LEAD ANALYST: L.W. HINSDALE, E.E. PRUST 

ASSESSMENT: 

CRITICALITY REDUNDANCY SCREENS 

FLIGHT 

HDW/FUNC ABC 

NASA [ 2 /1R ] [ NA] [ NA] [ NA] 

IOA [1/1 ] [ P ] [ F ] [ P ] 

COMPARE [ N /N ] [ N ] [ N ] [ N ] 


CIL 

ITEM 


[ X ] * 
[ X ] 

[ ] 


RECOMMENDATIONS: (If different from NASA) 

[ / ] C ] C ]' [ ] [ ] 

(ADD/ DELETE) 

* CIL RETENTION RATIONALE: (If applicable) 

ADEQUATE [ X ] 

. INADEQUATE ( ] 

REMARKS: 

THE IOA AGREES WITH THE NASA ASSESSMENT OF THIS FAILURE. 

THE DIFFERENCE IN CRITICALITY IS DUE TO A DIFFERENCE IN 
INTERPRETATION OF FMEA/CIL PREPARATION INSTRUCTIONS. 

HOWEVER, THE IOA BELIEVES THAT THIS HARDWARE IS OUTSIDE THE 
SCOPE OF THE BACKUP FLIGHT SYSTEM, AND SHOULD INSTEAD BE DEALT 
WITH IN THE GN&C SUBSYSTEM FMEAs. 



REPORT DATE 02/22/88 
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APPENDIX D 


CRITICAL ITEMS 
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APPENDIX D 

POTENTIAL CRITICAL ITEMS 


NASA FMEA 

MDAC-ID 

FLIGHT 

ITEM 

FAILURE MODE 

05-3-12200A-1 

101 

2/1R 

POWER SUPPLY A(B, C) 
TO L(R) RHC 

LOSS OF OUTPUT, 
PARTIA1 OUTPUT 

05-3-12200A-2 

101 

2/1R 

POWER SUPPLY A(B, C) 
TO L(R) RHC 

LOSS OF OUTPUT, 
PARTIAL OUTPUT 

05-3-12200B-1 

101 

2/1R 

POWER SUPPLY A (B, C) 
TO L(R) RHC 

LOSS OF OUTPUT, 
PARTIAL OUPUT 

05-3-12200B-2 

101 

2/1R 

POWER SUPPLY A (B, C) 
TO L(R) RHC 

LOSS OF OUTPUT, 
PARTIAL OUTPUT 

05-5-B3 0-1-2 

201 

1/1 

HALT RELAY 

INADVERTENT 
OPERATION, FAILS 
TO REMAIN OPEN 

05-5-B3 0-1-2 

202 

3/2R 

HALT RELAY 

FAILS TO CLOSE 

05-5-B3 0-1-2 

203 

2/1R 

HAND CONTROLLER 
ENGAGE DRIVER 

LOSS OF DISCRETE 
OUTPUT 

05-5-B3 0-1-2 

204 

1/1 

HAND CONTROLLER 
ENGAGE DRIVER 

LOSS OF 28 VDC 
OUTPUT 

05-5-B3 0-1-2 

205 

1/1 

ENGAGE / DISENGAGE 
LOGIC 

LOSS OF OUTPUT, 
ERRONEOUS OUTPUT 

05-5-B30-1-2 

207 

1/1 

BFC POWER SUPPLY 
(5 VDC) 

LOSS OF OUTPUT, 
PARTIAL OUTPUT, 
FAILS OUT OF 
TOLERANCE 

05-5-B3 0-1-2 

208 

1/1 

POWER UP/ DOWN 
MONITOR LOGIC 

INADVERTENT 

OPERATION 

05-5-B30-1— 2 

209 

1/1 

POWER UP/ DOWN 
MONITOR LOGIC 

LOSS OF OUTPUT 

05-5-B3 0-1-3 

210 

3/1R 

BACKUP FLIGHT CNTL 

INADVERTENT ENGAGE 

05-5-B01-1-1 

301 

1/1 

BACKUP GPC 
(USUALLY GPC 5) 

LOSS OF OUTPUT 

05-5-B02-1-1 

301 

1/1 

BACKUP GPC 
(USUALLY GPC 5) 

LOSS OF OUTPUT 

05-5-B01-1-2 

302 

1/1 

BACKUP GPC 
(USUALLY GPC 5) 

ERRONEOUS OUTPUT 

05-5-B02-1-2 

302 

1/1 

BACKUP GPC 
(USUALLY GPC 5) 

ERRONEOUS OUTPUT 

05-5-B32-1-1 

401 

2/1R 

BFS ENGAGE 
PUSHBUTTON 

FAILS TO CLOSE 

05-5-B3 1-1-1 

404 

1/1 

BFC DISENGAGE SW 

FAILS TO REMAIN 
OPEN, FAILS TO 
RE-OPEN 

05-6S-BSW7-1 

407 

1/1 

BFS GPC 

(USUALLY GPC 5) 
POWER SWITCH 

FAILS TO CLOSE, 
FAILS TO REMAIN 
CLOSED 

05-5-B15-1-1 

408 

1/1 

BFS GPC (USUALLY 
GPC 5) PWR SW 

FAILS OUT OF 
"BACKUP" 
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NASA FMEA 

MDAC-ID 

FLIGHT 

ITEM 

FAILURE MODE 

05-5-B17-1-1 

409 

1/1 

BFS GPC (USUALLY 
GPC 5) MODE SW 

INADVERTENTLY 
IN "HALT 

05-6Q-2103A-1 

501 

3/1R 

CIRCUIT BREAKER, 
7.5 AMP 

OPEN CIRCUIT 

05-6Q-2103B-1 

501 

3/1R 

CIRCUIT BREAKER, 
7.5 AMP 

OPEN CIRCUIT 

05-6S-BFUS4-1 

502 

1/1 

FUSE F9 , 1 AMP. - 
CNTL BUS AB3 

OPEN CIRCUIT 

05-6S-BFUS4-1 

503 

1/1 

FUSE F10, 1 AMP. - 
CNTL BUS AB3 

OPEN CIRCUIT 

05-6S-BFUS4-1 

504 

1/1 

FUSE Fll , 1 AMP. - 
CNTL BUS AB3 

OPEN CIRCUIT 

05-6S-BFUS3-1 

505 

1/1 

FUSE F49 , 3 AMP. - 
ESS BUS 3AB 

OPEN CIRCUIT 

05-6S-BD102-1 

507 

3/1R 

DIODE, MAIN BUS 
ISOLATION TO BFS 
GPC AND BFC 

FAILS TO CONDUCT 
OPEN, HIGH 
RESISTANCE 

05-6S-BD102-3 

508 

3/1R 

DIODE, MAIN BUS 
ISOLATION TO BFS 
GPC AND BFC 

SHORTS, CONDUCTS 
IN REVERSE 
DIRECTION 

05-6S-BFUS5-1 

509 

1/1 

FUSE F28 , 5 AMP - 
MAIN BUS SUPPLY TO 
BFS BFC POWER 

OPEN 

05-8— BFS003-000 

1001 

1/1 

INERTIAL 

MEASUREMENT UNIT 

ERRONEOUS OUTPUT 

05-8 -BFS 012-1 

2001 

1/1 

AIR DATA TRANSDUCER 

ERRONEOUS OUTPUT 

05-8-BFS 013-1 

2002 

1/1 

PROBE (AIR DATA) 

ERRONEOUS OUTPUT 
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APPENDIX E 
ANALYSIS WORKSHEETS 


This appendix contains the IOA analysis worksheets supplementing 
previous results reported in STSEOS Working Paper 1. 0-WP-VA86001- 
18, Analysis of the Backup Flight System, (15 December 1986) . 
Prior results were obtained independently and documented before 
starting the FMEA/CIL assessment activity. Supplemental analysis 
was performed to address failure modes not previously considered 
by the IOA. Each sheet identifies the hardware item being 
analyzed, parent assembly, and function performed. For each 
failure mode, possible causes are identified, and hardware and 
functional criticality for each mission phase are determined as 
described in the Instructions for Preparation of FMEA and CIL. 
NSTS 22206. 10 October 1986 . Finally, effects are entered at the 
bottom of each sheet, and the worst case criticality is entered 
at the top. 


LEGEND FOR IOA ANALYSIS WORKSHEETS 


Hardware Criticalities : 

1 ■ Loss of life or vehicle 

2 * Loss of mission 

3 * Non loss of life or vehicle or mission 
Functional Criticalities : 

1R = Redundant identical hardware components or redundant 
functional paths all of which, if failed, could cause 
loss of life or vehicle. 

2R = Redundant identical hardware components or redundant 
functional paths all of which, if failed, could cause 
loss of mission. 

Redundancy Screen A : 

1 = Is Checked Out PreFlight 

2 = Is Capable of Check Out PreFlight 

3 * Not Capable of Check Out PreFlight 
NA = Not Applicable 

Redundancy Screens B and C : 

P = Passed Screen 
F = Failed Screen 
NA = Not Applicable 


E-l 



INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 12/03/87 

SUBSYSTEM: BACKUP FLIGHT SYSTEM 

MDAC ID: 210 


HIGHEST CRITICALITY HDW/FUNC 
FLIGHT: 3/1R 

ABORT: 3/1R 


ITEM: BACKUP FLIGHT CONTROLLER - BFC 2 

FAILURE MODE: INADVERTENT ENGAGE 


LEAD ANALYST: L.W. HINSDALE SUBSYS LEAD: J.J. EWELL 


BREAKDOWN HIERARCHY: 

1) BACKUP FLIGHT CONTROLLER 

2 ) 

3) 

4) 

5) 

6 ) 

7) 

8 ) 

9) 

CRITICALITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 

PRE LAUNCH: 

3/2R 

RTLS: 

3/1R 

LIFTOFF : 

3/1R 

TAL: 

3/1R 

ONORBIT: 

3/1R 

AOA: 

3/1R 

DEORBIT : 

3/1R 

ATO: 

3/1R 

LANDING/ SAFING 

: 3/1R 



REDUNDANCY SCREENS: 

A [ 2 ] 

B [ F ] 

C [ P ] 

LOCATION: FWD AVIONICS BAY 

PART NUMBER: MC615-0023-0003 








CAUSES: PIECE PART FAILURE, VIBRATION, CONTAMINATION 


EFFECTS/RATIONALE : 

PREMATURE BFS ENGAGE, POSSIBLE FORCE FIGHT IF SOME PASS GPC 
OUTPUTS ARE NOT DISABLED, POSSIBLE LOSS OF CONTROL - LOSS OF 
VEHICLE AND LOSS OF CREW. 


REFERENCES : 


REPORT DATE 02/22/88 
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INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 12/03/87 

SUBSYSTEM: BACKUP FLIGHT SYSTEM 

MDAC ID: 507 


HIGHEST CRITICALITY 
FLIGHT : 
ABORT : 


HDW/FUNC 

3/1R 

3/1R 


ITEM: DIODE, MAIN BUS ISOLATION TO BFS GPC AND BFC 

FAILURE MODE: FAILS TO CONDUCT. OPEN, HIGH RESISTANCE 

LEAD ANALYST: L.W. HINSDALE SUBSYS LEAD: J.J. EWELL 


BREAKDOWN HIERARCHY: 

1) CIRCUIT PROTECTION 

2 ) 

3) 

4) 

5) 

6 ) 

7) 

8) 

9) 

CRITICALITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 

PRE LAUNCH: 

3/3 

RTLS: 

3/1R 

LIFTOFF: 

3/1R 

TAL: 

3/1R 

ONORBIT : 

3/2R 

AOA: 

3/1R 

DEORBIT: 

3/1R 

ATO: 

3/1R 

LANDING/SAFING: 

3/1R 




REDUNDANCY SCREENS: A[2] B [ F ] C[P] 

LOCATION: 

PART NUMBER: JANTX 1N11884 

CAUSES: CONTAMINATION, SHOCK, VIBRATION, PIECE PART FAILURE 


EFFECTS/RATIONALE : 

THE TRIPLE REDUNDANT MAIN BUS POWER PATHS TO EACH IOP, CPU AND 
BFC ARE ISOLATED BY DIODES. TWO DIODES CAN FAIL WITH NO EFFECT. 
THE THIRD FAILURE CAUSES LOSS OF THE INTERFACING GPC. 

THREE FAILURES COULD PREVENT THE BFS FROM BEING ENGAGED. WITH 
BFS ENGAGED, THREE FAILURES WOULD CAUSE LOSS OF CONTROL, LOSS OF 
VEHICLE, AND LOSS OF CREW. 


REFERENCES : 


REPORT DATE 02/22/88 
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INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 12/03/87 

SUBSYSTEM: BACKUP FLIGHT SYSTEM 

MDAC ID: 508 


HIGHEST CRITICALITY 
FLIGHT: 
ABORT: 


HDW/FUNC 

3/1R 

3/1R 


ITEM: DIODE, MAIN BUS ISOLATION TO BFS GPC AND BFC 

FAILURE MODE: SHORTS, CONDUCTS IN REVERSE DIRECTION 


LEAD ANALYST: L.W. HINSDALE SUBSYS LEAD: J.J. EWELL 

BREAKDOWN HIERARCHY: 

1) CIRCUIT PROTECTION 

2 ) 

3) 

4) 

5) 

6 ) 

7) 

8 ) 

9) 

CRITICALITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 

PRELAUNCH: 

3/3 

RTLS: 

3/1R 

LIFTOFF: 

3/1R 

TAL: 

3/1R 

ONORBIT: 

3/2R 

AO A: 

3/1R 

DEORBIT: 

3/1R 

ATO: 

3/1R 

LANDING/SAFING 

: 3/1R 



REDUNDANCY SCREENS: 

A [ 2 ] 

B [ F ] 

C [ P ] 


LOCATION: 

PART NUMBER: JANTX INI 18 8 4 

CAUSES: CONTAMINATION, SHOCK, VIBRATION, PIECE PART FAILURE 


EFFECTS/RATIONALE : 

THE TRIPLE REDUNDANT MAIN BUS POWER PATHS TO EACH IOP, CPU AND 
BFC ARE ISOLATED BY DIODES. TWO DIODES CAN FAIL WITH NO EFFECT. 
THE THIRD FAILURE CAUSES LOSS OF THE INTERFACING GPC. 

THREE FAILURES COULD PREVENT THE BFS FROM BEING ENGAGED. WITH 
BFS ENGAGED, THREE FAILURES WOULD CAUSE LOSS OF CONTROL, LOSS OF 
VEHICLE, AND LOSS OF CREW. 


REFERENCES : 


REPORT DATE 02/22/88 
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INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 12/03/87 

SUBSYSTEM: BACKUP FLIGHT SYSTEM 

MDAC ID: 509 


HIGHEST CRITICALITY 
FLIGHT: 
ABORT: 


HDW/FUNC 

1/1 

1/1 


ITEM: FUSE F28 , 5 AMP - MAIN BUS SUPPLY TO BFS BFC POWER 

MONITOR LOGIC 
FAILURE MODE : OPEN 


LEAD ANALYST: L.W. HINSDALE SUBSYS LEAD: J.J. EWELL 

BREAKDOWN HIERARCHY: 

1) CIRCUIT PROTECTION 

2 ) 

3) 

4) 

5) 

6 ) 

7) 

8 ) 

9) 

CRITICALITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 

PRELAUNCH: 

1/1 

TiTLS: 

1/1 

LIFTOFF: 

1/1 

TAL: 

1/1 

ONORBIT: 

3/1R 

AOA: 

1/1 

DEORBIT: 

1/1 

ATO: 

1/1 

LANDING/ SAFING 

: 1/1 



REDUNDANCY SCREENS: 

A [ 2 ] 

B [ P ] 

C [ P ] 

LOCATION: 




PART NUMBER: ME451-0018-0500 




CAUSES: VIBRATION, SHOCK, STRUCTURAL FAILURE 

EFFECTS/RATIONALE : 

FAILURE PREVENTS BFS FROM BEING ENGAGED. WITH BFS ENGAGED, 
FAILURE CAUSES LOSS OF CONTROL, LOSS OF VEHICLE AND CREW. 


REFERENCES : 


REPORT DATE 02/22/88 
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INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 12/18/86 

SUBSYSTEM: BACKUP FLIGHT SYSTEM 

MDAC ID: 1001 


HIGHEST CRITICALITY 
FLIGHT: 
ABORT: 


HDW/FUNC 

1/1 

1/1 


ITEM: INERTIAL MEASUREMENT UNIT (IMU) 

FAILURE MODE: ERRONEOUS OUTPUT FROM PASS DUE TO GENERIC FAILURE 

OF PRIMARY SYSTEM SOFTWARE 


LEAD ANALYST: L.W. HINSDALE/E . E. PRUST SUBSYS LEAD: 

J . J • EWELL 


BREAKDOWN HIERARCHY: 

1) IMU 

2 ) 

3) 

4) 

5) 

6 ) 

7) 

8 ) 

9 ) 


CRITICALITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 

PRELAUNCH: 

3/2R 

RTLS: 

1/1 

LIFTOFF: 

1/1 

TAL: 

1/1 

ONORBIT: 

1/1 

AOA: 

1/1 

DEORBIT: 
LANDING/ SAFING 

1/1 

: 1/1 

ATO: 

1/1 

REDUNDANCY SCREENS: 

A [NA ] 

B [ F ] 

C [ P ] 


LOCATION: 

PART NUMBER: MC409-0004-0010 


CAUSES: ERRONEOUS SOFTWARE TORQUING INPUT OR MODING COMMAND 

EFFECTS/RATIONALE : 

NAVIGATION ERRORS WILL ACCUMULATE CAUSING LOSS OF VEHICLE 
CONTROL. SUCCESSFUL BFS TAKEOVER IS PRECLUDED. 


REFERENCES : 


REPORT DATE 02/22/88 
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INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

12/18/86 

HIGHEST 

CRITICALITY 

HDW/FUNC 

SUBSYSTEM: 

BACKUP FLIGHT SYSTEM 


FLIGHT: 

1/1 

MDAC ID: 

2001 


ABORT: 

1/1 

ITEM: 

FAILURE MODE 

AIR DATA TRANSDUCER ASSEMBLY 
: ERRONEOUS OUTPUT 

(ADTA) 


LEAD ANALYST 
J • J • EWELL 

: L.W. HINSDALE/E. E. 

PRUST 

SUBSYS LEAD: 



BREAKDOWN HIERARCHY: 

1) AIR DATA SYSTEM 

2 ) 

3) 

4) 

5) 

6 ) 

7) 

8 ) 

9) 

CRITICALITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 

PRELAUNCH: 

3/3 

RTLS: 

1/1 

LIFTOFF: 

3/3 

TAL: 

1/1 

ONORBIT: ‘ 

3/3 

AOA: 

1/1 

DEORBIT: 

1/1 

ATO: 

3/3 

LANDING/SAFING 

: 1/1 



REDUNDANCY SCREENS: 

A [ 2 ] 

B [ F ] 

C [ P ] 


LOCATION: 

PART NUMBER: MC409-0011-0006 


CAUSES: HIGH TEMPERATURE, VIBRATION, PIECE PART STRUCTURAL 

FAILURE 

EFFECTS/RATIONALE : 

ERRONEOUS OUTPUT FROM AN ADTA CAN AFFECT CALCULATIONS OF CRITICAL 
FIGHT CONTROL PARAMETERS. IF UNDETECTED, LOSS OF CONTROL, LOSS 
OF VEHICLE, AND LOSS OF CREW IS PROBABLE. 


REFERENCES : 


REPORT DATE 02/22/88 
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INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 12/18/86 

SUBSYSTEM: BACKUP FLIGHT SYSTEM 

MDAC ID: 2002 


HIGHEST CRITICALITY HDW/FUNC 
FLIGHT: 1/1 

ABORT: 1/1 


ITEM: PROBE (AIR DATA) 

FAILURE MODE: ERRONEOUS OUTPUT 


LEAD ANALYST: L.W. HINSDALE, E.E. PRUST SUBSYS LEAD: 

J.J. EWELL 


BREAKDOWN HIERARCHY: 

1) AIR DATA SYSTEM 

2 ) 

3) 

4) 

5) 

6 ) 

7) 

8 ) 

9) 

CRITICALITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 

PRELAUNCH: 

3/3 

RTLS: 

1/1 

LIFTOFF: 

3/3 

TAL: 

1/1 

ONORBIT: 

3/3 

AO A: 

1/1 

DEORBIT: 

1/1 

ATO: 

3/3 

LANDING/SAFING 

: 1/1 



REDUNDANCY SCREENS: 

A [ 2 ] 

B [ F ] 

C [ P ] 


LOCATION: 

PART NUMBER: MC432-0206 

CAUSES : 


FAILURE IN EITHER PROBE (IF UNDETECTED BY ADTA BITE PRIOR 
ENGAGING BFS) WILL CAUSE LOSS OF CONTROL, LOSS OF VEHICLE 


CREW. 


TO 

AND 


REFERENCES : 


REPORT DATE 02/22/88 
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APPENDIX F 


NASA FMEA TO IOA WORKSHEET CROSS REFERENCE/RECOMMENDATIONS 


This section provides a cross reference between the NASA FMEA and 
corresponding IOA analysis worksheet (s) . The worksheets include 
those from the previous results reported in STSEOS Working Paper 
1.0-WP-VA86001-18, Analysis of the Backup Flight System, (15 
December 1986) and the supplementary worksheets contained in 
Appendix E of this report. The Appendix F identifies: NASA FMEA 
Number, IOA Assessment Number, NASA criticality and redundancy 
screen data, and IOA recommendations. 


Appendix F Resolution/Issue/Rationale Codes 
Code Definition 

1 IOA and NASA criticalities differ. IOA does not 
consider PASS as a redundant capability to the BFS . 
NASA counts PASS failure as the first failure when 
assigning BFS failure mode criticalities. 

2 IOA recommends generating a FMEA for the subject 
failure mode. 

3 IOA identified failures within an LRU. 

4 FMEA went one level deeper than the IOA. 

5 IOA and FMEA document same failure mode differently. 

6 NASA deleted failure mode impact on BFS from Nov. '87 
baseline. 

7 NASA moved CIL to GN&C subsystem in Nov. '87 baseline. 
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NASA FMEA 

TO IDA WORKSHEET CROSS REFERENCE / RECOMMENDATIONS 



IDENTIFIERS ! 

1 

NASA ! 

i 1 

IOA RECOMMENDATIONS 1 1 

i __________ 

■ 


NASA 

IGA : 

GRIT ! 

\ 

SCREENS 

l 

CRIT ! 

SCREENS 

OTHER ! 

ISSUE 



FHEA NUMBER 

ASSESSMENT NUMBER I 

HW/F ! 

A B C 

HW/F : 
1 - - - 

A B C 

(SEE LEGEND CODE} 


= 



BFS-206 ! 

1 / 


, 

/ : 


3 





BFS-402 ! 

/ 


3/3 ! 

P P NA 

2 


J 



BFS-403 ! 

i / 

1 i 


3/2R : 

P P NA 

2 


m 



SFS-405 ! 

! / 


3/3 ! 

P P NA 

T 

i. 



J 

BFS-406 ! 

/ 


I 3/3 ! 

P P NA 

n 

i. 



1 

♦ 

BFS-506 ! 

! / 


! 3/iR 

p p p 

2 



1 05-3-12208A-1 

BFB-101 1 

I 3/1R 

P P F 

! / 


1, 5 




B5-3-12200A-2 

BFS-131A ! 

i 3/iR 

P F F 

! / 


1, 5 




05-3-I2200B-1 

BFS-101B ! 

! 3/iR 

P P F 

I / 


1, 5 


s 


05-3-12200B-2 

BFS-I81C 1 

} 3/iR 

P P F 

1 / 


1, 5 




05-5-B01-1-1 

BFS-301 ! 

: 2/ir 

p p p 

! / 


1, 4 




05-5-B01-1-2 

8FS-302 ! 

! 1/1 


{ / 


4 




05-5-B02-1-1 

BFS-301A I 

! 2/IR 

P P P 

1 / 


1, * 


= 


05-5-B02-1-2 

BFS-302A I 

! 1/1 


! / 


4 




85-5-815-1-1 

8FS-408 ! 

! 2/IR 

P F P 

! / 


i 




05-5-817-1-1 

BFS-409 ! 

i 2/IR 

P F P 

! / 


i 


' 


05-5-B30-1-2 

BFS-201 ! 

i 2/IR 

F F P 

! / 


1, 2, 3 


■ 



BFS-202 ! 

! 2/IR 

F F P 

i / 


1, 2, 3 




- 

BFS-203 ! 

: 2/ir 

F F P 

! / 


3 





BFS-204 ! 

! 2/IR 

F F P 

! / 


1, 3 


m 



BFS-205 ! 

! 2/IR 

F F P 

1 / 


If 3 





BFS-287 ! 

! 2/IR 

F F P 

! / 


1, 3 





BFS-208 ! 

! 2/IR 

F F P 

! / 


1, 3 


— 



BFS-209 ! 

! 2/IR 

F F P 

! / 


1, 3 




85-5-B30-1-3 

BFS-210X I 

! 3/IR 

P F P 

! / 






05-5-B31-1-1 

BFS-404 ! 

! 2/IR 

P F P 

1 / 


1 


_ 


05-5-B32-1-1 

8FS-401 ! 

1 3/iR 

P F P 

i / 


1 


S 


05-6B-2103A-1 

BF3-501 ! 

I 3/iR 

P F P 

! / 


4 




05-6Q-2103B-1 

BFS-501A i 

! 3/iR 

P F P 

; / 


4 




05-6S-BD182*! 

BFS-507X ! 

! 3/IR 

P F P 

! / 




= 


05-6S-ED102-3 

BFS-50BX ! 

! 3/iR 

P F P 

! / 






05-6S-BFUS3-1 

BFS-505 ! 

! 2/IR 

P F P 

! / 


i 




05-6S-BFUS4-1 

BFS-502 ! 

! 2/IR 

P F P 

1 / 


1. 3 


_ 



8FS-503 ! 

! 2/IR 

P F P 

! / 


1, 3 


B 



6FS-504 ! 

I 2/IR 

P F P 

i / 


1, 3 




05-6S-BFUS5-1 

BFS-509X ! 

! 2/IR 

P P P 

* / 


1 ' 




85-6S-BSH7-1 

8FS-407 ! 

I 2/IR 

P P P 

i / 


1 


== 


05-B-BFS003-0001 

BFS-I001 X ! 

i 1/1 

NA NA NA 

1 / 


6 




B5-8-BFS018-0001 

BFS-601 : 

! 3/3 

P P P 

: / 






85-3-BFS010-0002 

BF3-682 ! 

! 3/3 

P P P 

! / 







B5-8-BFS012-1 

BFS-2301X I 

! 2/IR 

NA NA NA 

! I 


1, 7 


m 


05-8-BF3013-1 

BFS-2002X ! 

! 2/IR 

NA NA NA 

\ i 


1, 7 
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